Subject: Re: Bug Bounties. Making $ from bugzilla.
From: burton@openprivacy.org (Kevin A. Burton)
Date: 25 Nov 2001 16:04:27 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Karsten M. Self" <kmself@ix.netcom.com> writes:

> on Sun, Nov 25, 2001 at 12:56:03PM -0800, Ian Lance Taylor (ian@airs.com) wrote:
> > burton@openprivacy.org (Kevin A. Burton) writes:
> > 
> > > > If they are an expert on that software, mightn't they be the ones that are
> > > > doing the fixing?  That would create a conflict of interest.
> > > <snip>
> > > 
> > > I am confused by this last sentence.  I wouldn't have a problem with an expert
> > > getting paid to fix bugs.
> > 
> > If I am an expert in the software, I insert a set of bugs into a
> > release, and I prepare patches in advance.  Then I wait for people to
> > offer money to fix them, and I release the patches.
> > 
> > People used to routinely argue that Cygnus had a strong incentive to
> > do this.  They were wrong, for two reasons: 1) we didn't have to
> > intentionally insert extra bugs; we inserted plenty by mistake; 2) our
> > real competitors were not other free software support shops, but other
> > companies which provided alternative embedded development tools, so if
> > we shipped a buggy product, people would switch away from free
> > software and we would get no repeat business.
> > 
> > In the bug bounty system, reason 1 still exists, but reason 2 does
> > not.
> 
> Bug bounties are potentially quite harmful in this regard.  They work where
> the development, bugfixing, and project management are tightly integrated.
> TeX comes to mind.  In this case, it's a bounty paid by Knuth to anyone who
> finds a bug in TeX.  The bounty has been rarely paid.

How many claims has there been?  If I remember correctly the bounty is less
than $5.00...

> In a larger, more complex organization, a similar scheme would create a
> significant moral hazard (economics / insurance term).  A developer could
> collaborate with one or more confederates on the outside to seed a product
> with bugs, for which bounties are paid on discovery.

Of course this would only work in a closed system.  Remember just because
someone introduces bugs doesn't mean that they aren't fixed for $0.0 by other
contributors.

Also... there would be a SEVERE punishment if anyone was found doing this.

> In Knuth's case, loss and benefit both accrue directly to him.  In the
> corporate case (the context I first pointed this problem out in involved
> Microsoft -- which probably has its own issues in assessing developer
> loyalties given a long history of illegal monopolistic business practices),
> costs (drafts on the corporate treasury) and benefits (bounties paid to bug
> discoverers) accrue differentially.  Checks would have to be put in place to
> to curb bias and abuse.

This is a noop.  Society already has this.  It is called reputation.

What is stopping Linus from adding horrible bugs into the Linux kernel and then
fixing them.  If he did he would appear like a GOD (of course a lot of people
think he already is but this is beside the point)

The point is that the potential penalty would FAR outreach the benefits.

Sure it will happen every once in a while.  No problem.  The advantages of the
Bug Bounty system would potentially out weigh any abuses.

> The bounty suggestion posed here is probably less inherently pervertable as
> the corporate case, but the system would have to be examined very carefully
> and continually monitored.

I don't think it is this severe but it does need to be taken into account.

... we need more comprehensive docs here.

Kevin

- -- 
Kevin A. Burton ( burton@apache.org, burton@openprivacy.org, burtonator@acm.org )
             Location - San Francisco, CA, Cell - 415.595.9965
        Jabber - burtonator@jabber.org,  Web - http://relativity.yi.org/

Failure to accept hypocrisy is the sign of a weak mind.
  - me
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: http://relativity.yi.org/pgpkey.txt

iD8DBQE8AYb3AwM6xb2dfE0RAu2BAKDAMagRxwaCsRHTvtUKVuhCUrtxCACeKpNb
UtWKs2DJ8G3KxALKFnz4NSQ=
=oJkg
-----END PGP SIGNATURE-----