You might have seen that already before when we had some discussion about the FOSSA project, but as I was just commenting a policy paper which was mentioning bug bounties, I thought it is a good to remind you about this write-up by the Apache Software Foundation:
Chapter "Bug Bounties - a Panacea?" in https://blogs.apache.org/foundation/entry/free_and_open_source_security
Would be interested what people here think about that.
Best Regards, Matthias
On Friday 16. June 2017 10.02.43 Matthias Kirschner wrote:
You might have seen that already before when we had some discussion about the FOSSA project, but as I was just commenting a policy paper which was mentioning bug bounties, I thought it is a good to remind you about this write-up by the Apache Software Foundation:
Chapter "Bug Bounties - a Panacea?" in https://blogs.apache.org/foundation/entry/free_and_open_source_security
Would be interested what people here think about that.
The issue of bounties came up in my recent article about Free Software funding:
https://blogs.fsfe.org/pboddie/?p=1620
I think my observations can be summarised as the following:
1) Bounties are often not fair sums for the work to be done.
2) By rewarding the first to complete the work, they promote destructive competition and make the "romantic" role of "bounty hunter" less viable.
3) The above factors mean that people are less likely to tackle big problems through collaboration because the money isn't good enough and people will want to maximise their rewards by going it alone (and probably failing).
4) Bounties can therefore be ill-suited to actually getting significant work done. (They can be useful for funding small tasks, but this may only amount to "pocket money" and probably doesn't actually allow people to live off the rewards.)
So, I guess I probably agree with the specific observations about bounties as a way of driving progress in Free Software projects.
In a "security" context, other things are involved, too, such as the temptation for people to take more substantial sums from unscrupulous "security industry" organisations so that those organisations can somehow acquire the work and either use it to drive revenue for their businesses or to apply such works in unethical ways.
The report does make valid points about the burden of security-related feedback on Free Software projects. Unfortunate, then, that it states this: "People are volunteers." While Free Software projects are typically open to volunteer participation, the likes of the Apache Software Foundation should be looking to promote and develop ways through which "people" will not be (unpaid) volunteers but can instead dedicate their "work time" to maintaining and improving Free Software.
Paul
P.S. It's interesting that this report comes from the Apache Software Foundation given the apparently poor reputation of Apache OpenOffice for timely security fixes.
Dear Paul,
I missed your blog entry before, so thanks for your summary!
* Paul Boddie [2017-06-16 13:55 +0200]:
The report does make valid points about the burden of security-related feedback on Free Software projects. Unfortunate, then, that it states this: "People are volunteers." While Free Software projects are typically open to volunteer participation, the likes of the Apache Software Foundation should be looking to promote and develop ways through which "people" will not be (unpaid) volunteers but can instead dedicate their "work time" to maintaining and improving Free Software.
Actually I would be very interested in the percentage of Apache developers who do their work on a paid basis. My impression always was that the percentage of paid developers is quite high in that area. Does anyone of you have any insights there? Else I would ask the author.
Regards, Matthias
On Friday 16. June 2017 16.28.41 Matthias Kirschner wrote:
I missed your blog entry before, so thanks for your summary!
That was just one part of it, though. Indeed, I had promised to discuss issues of Free Software funding on this list, but I have had other things to do.
[...]
Actually I would be very interested in the percentage of Apache developers who do their work on a paid basis. My impression always was that the percentage of paid developers is quite high in that area. Does anyone of you have any insights there? Else I would ask the author.
I looked at the ASF annual report for the 2015/2016 financial year...
https://s3.amazonaws.com/files-dist/AnnualReports/ASFAnnualReport- FY2015-2016FINAL.pdf
...and it looks as if more than half of the ASF's funding goes on "infrastructure" ($571050 out of $948339), presumably things like providing hardware, bandwidth, services, and so on (with "10 rotating volunteers and 5 paid staff").
I would imagine that quite a few people contributing to Apache projects work at companies like IBM who like to keep the ASF well-stocked with projects, some of which are perhaps not lucrative for those companies any more, at least in their original form as proprietary software. Whether this apparent generosity increases the infrastructure burden or not is perhaps a question for people who know the ASF a lot better than I do.
Paul