Subject: Re: Bug Bounties. Making $ from bugzilla.
From: Ian Lance Taylor <ian@airs.com>
Date: 25 Nov 2001 20:50:41 -0800

burton@openprivacy.org (Kevin A. Burton) writes:

> > If I am an expert in the software, I insert a set of bugs into a release, and
> > I prepare patches in advance.  Then I wait for people to offer money to fix
> > them, and I release the patches.
> 
> HA!   Funny.

I don't mean to be funny.  If you create a set of rules which can lead
to money, some people will follow those rules.

> True.  But I think that no self respecting software engineer would do this.

There are certainly many people who value self respect more than
money.  But there are many people who do not.

This is not a serious risk if there isn't much money in the bug bounty
system, and it's probably not worth worrying about.  But if the bug
bounty system does become popular, and the amounts of money become
serious, then this is a real risk.  Reputation doesn't matter if the
amount of money is large enough, because you only have to score once.

Ian