Something that’s been bothering me for years in the security world: why do researchers demand bug bounties for vulnerabilities in open source projects, when the very contributors maintaining and fixing those issues get nothing, just goodwill?
It feels deeply unfair. The burden falls on unpaid maintainers, yet bounty hunters get rewarded. If you want a paid bounty, maybe help fund the people who actually fix the mess too.
@adulau yeah, there should be a 70/30 split on bug bounties, 70 for the fix, 30 for finding the bug.
@adulau
It started in the proprietary world: if you find a bug there, the company that sells the right to use the software makes exploitation money from that, so it makes some sense there to hand some of that money out to people who help you exploit more.
Somehow that then got pulled over to open source software...🤷
It started in the proprietary world: if you find a bug there, the company that sells the right to use the software makes exploitation money from that, so it makes some sense there to hand some of that money out to people who help you exploit more.
Somehow that then got pulled over to open source software...🤷
- replies
- 0
- announces
- 0
- likes
- 1