ASF on bug bounties
Paul Boddie
paul at boddie.org.uk
Fri Jun 16 11:55:39 UTC 2017
On Friday 16. June 2017 10.02.43 Matthias Kirschner wrote:
> You might have seen that already before when we had some discussion
> about the FOSSA project, but as I was just commenting a policy paper
> which was mentioning bug bounties, I thought it is a good to remind you
> about this write-up by the Apache Software Foundation:
>
> Chapter "Bug Bounties - a Panacea?" in
> https://blogs.apache.org/foundation/entry/free_and_open_source_security
>
> Would be interested what people here think about that.
The issue of bounties came up in my recent article about Free Software
funding:
https://blogs.fsfe.org/pboddie/?p=1620
I think my observations can be summarised as the following:
1) Bounties are often not fair sums for the work to be done.
2) By rewarding the first to complete the work, they promote destructive
competition and make the "romantic" role of "bounty hunter" less viable.
3) The above factors mean that people are less likely to tackle big problems
through collaboration because the money isn't good enough and people will want
to maximise their rewards by going it alone (and probably failing).
4) Bounties can therefore be ill-suited to actually getting significant work
done. (They can be useful for funding small tasks, but this may only amount to
"pocket money" and probably doesn't actually allow people to live off the
rewards.)
So, I guess I probably agree with the specific observations about bounties as
a way of driving progress in Free Software projects.
In a "security" context, other things are involved, too, such as the
temptation for people to take more substantial sums from unscrupulous
"security industry" organisations so that those organisations can somehow
acquire the work and either use it to drive revenue for their businesses or to
apply such works in unethical ways.
The report does make valid points about the burden of security-related
feedback on Free Software projects. Unfortunate, then, that it states this:
"People are volunteers." While Free Software projects are typically open to
volunteer participation, the likes of the Apache Software Foundation should be
looking to promote and develop ways through which "people" will not be
(unpaid) volunteers but can instead dedicate their "work time" to maintaining
and improving Free Software.
Paul
P.S. It's interesting that this report comes from the Apache Software
Foundation given the apparently poor reputation of Apache OpenOffice for
timely security fixes.
More information about the Discussion
mailing list