Subject: Re: Bug Bounties. Making $ from bugzilla.
From: (Kevin A. Burton)
Date: 26 Nov 2001 14:03:21 -0800

Hash: SHA1

Ian Lance Taylor <> writes:

> (Kevin A. Burton) writes:
> > > If I am an expert in the software, I insert a set of bugs into a release, and
> > > I prepare patches in advance.  Then I wait for people to offer money to fix
> > > them, and I release the patches.
> > 
> > HA!   Funny.
> I don't mean to be funny.  If you create a set of rules which can lead to
> money, some people will follow those rules.

Yes.  I know you were being serious.  

> > True.  But I think that no self respecting software engineer would do this.
> There are certainly many people who value self respect more than money.  But
> there are many people who do not.


> This is not a serious risk if there isn't much money in the bug bounty system,
> and it's probably not worth worrying about.

The threat model should at least be documented, even if it is minor.

> But if the bug bounty system does become popular, and the amounts of money
> become serious, then this is a real risk.  Reputation doesn't matter if the
> amount of money is large enough, because you only have to score once.

Yes.  But this type of stuff happens in the real world all the time.  It has
been happening for at least 1000 years or so.  A good example would of course
be politics :).

There is no way we could elliminate this just by bringing it onto the


- -- 
Kevin A. Burton (,, )
             Location - San Francisco, CA, Cell - 415.595.9965
        Jabber -,  Web -

Resistance is *not* futile!
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: