ASF on bug bounties

Paul Boddie paul at
Fri Jun 16 11:55:39 UTC 2017

On Friday 16. June 2017 10.02.43 Matthias Kirschner wrote:
> You might have seen that already before when we had some discussion
> about the FOSSA project, but as I was just commenting a policy paper
> which was mentioning bug bounties, I thought it is a good to remind you
> about this write-up by the Apache Software Foundation:
> Chapter "Bug Bounties - a Panacea?" in
> Would be interested what people here think about that.

The issue of bounties came up in my recent article about Free Software 

I think my observations can be summarised as the following:

1) Bounties are often not fair sums for the work to be done.

2) By rewarding the first to complete the work, they promote destructive 
competition and make the "romantic" role of "bounty hunter" less viable.

3) The above factors mean that people are less likely to tackle big problems 
through collaboration because the money isn't good enough and people will want 
to maximise their rewards by going it alone (and probably failing).

4) Bounties can therefore be ill-suited to actually getting significant work 
done. (They can be useful for funding small tasks, but this may only amount to 
"pocket money" and probably doesn't actually allow people to live off the 

So, I guess I probably agree with the specific observations about bounties as 
a way of driving progress in Free Software projects.

In a "security" context, other things are involved, too, such as the 
temptation for people to take more substantial sums from unscrupulous 
"security industry" organisations so that those organisations can somehow 
acquire the work and either use it to drive revenue for their businesses or to 
apply such works in unethical ways.

The report does make valid points about the burden of security-related 
feedback on Free Software projects. Unfortunate, then, that it states this: 
"People are volunteers." While Free Software projects are typically open to 
volunteer participation, the likes of the Apache Software Foundation should be 
looking to promote and develop ways through which "people" will not be 
(unpaid) volunteers but can instead dedicate their "work time" to maintaining 
and improving Free Software.


P.S. It's interesting that this report comes from the Apache Software 
Foundation given the apparently poor reputation of Apache OpenOffice for 
timely security fixes.

More information about the Discussion mailing list