Subject: Re: Bug Bounties. Making $ from bugzilla.
From: (Kevin A. Burton)
Date: 25 Nov 2001 15:55:16 -0800

Hash: SHA1

Ben Laurie <> writes:

> "Jonathan S. Shapiro" wrote:
> > 
> > > What's Bob's incentive to provide the patch speedily?  Why wouldn't
> > > all the Bob's of the system wait until the bounty stops going up?
> > 
> > Bob is in competition with Bob', and it's an all or nothing game. What is
> > needed here is a mechanism for Bob to say "I'm fixing it, and I need X
> > hours", gaining a time-limited exclusive on the contract.
> > 
> > The problem with the mechanism as described so far is that there is no
> > process for determining whether the fix is a "good" fix. Somebody
> > knowledgeable about the software actually needs to vet the change.
> > 
> > However, this can be solved by endorsement models as well. The project can
> > identify several people who it believes are reasonable vetters of changes.
> > Individuals can also say "I have this bug, and I'll believe it's fixed when
> > one of {Fred, Mary, Jane, * recommended by project} say so." The vetting
> > party needs to get a percentage of the take.
> > 
> > Beyond that, however, I see a flaw.
> > 
> > If I recall correctly, it was the experience of Cygnus that most patches
> > supplied were undesirable, in that they tended to point the way toward the
> > right solution but were not themselves the right solution. I have a vague
> > recollection that Mike or John Gilmore tols me at one point that there were
> > only 10 or 15 outside people whose patches they found could routinely just
> > be applied. This leads me to wonder what quality level the bug bounty could
> > generate.
> > 
> > I therefore think further tinkering in the payment model is likely to be
> > needed. One possibility is for the vetting party to be able to say "Bob has
> > supplied a fix. It's a workaround, but it's not the right workaround because
> > of X, Y, Z. We're going to award Bob 20%, but we're not going to endorse the
> > change as an official change."
> Why would we think the vetting party is any better at doing this than
> Bob? Also, I can see two conflicts of interest here:
> a) If the vetting party reduces the award, they presumably reduce their
> commission.

I think it is possible to remove the 3rd party by using Reputation to resolve

... I will post a more detailed approach soon.

> b) If the vetting party says it is no the right workaround, they can then
> provide the right one for the other 80%....



- -- 
Kevin A. Burton (,, )
             Location - San Francisco, CA, Cell - 415.595.9965
        Jabber -,  Web -

In this business, the only real open industry standard in the computer industry
is Linux, which thankfully remains beyond the clutches of the moguls. Everything
else is hokum designed to lock developers (and by extension, customers) into
proprietary corners of the computing constellation.
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: