Something that’s been bothering me for years in the security world: why do researchers demand bug bounties for vulnerabilities in open source projects, when the very contributors maintaining and fixing those issues get nothing, just goodwill?
It feels deeply unfair. The burden falls on unpaid maintainers, yet bounty hunters get rewarded. If you want a paid bounty, maybe help fund the people who actually fix the mess too.
@adulau yes!
When this happened to me, I was relatively lucky. The EU funded a short-term bug bounty on PuTTY and its supporting tools in early 2019. HackerOne ran it, and brought their own triage team, who took a lot of the load off me in terms of smacking down people who had missed the point entirely, or chancers who were putting in the least possible effort in the hope of getting lucky. I only had to get involved with stuff that made it through H1's team.
Even so, I was hard pressed to fix the bugs as fast as they came in, at least to begin with. By the end of the initial 8-week bounty period I was exhausted. When H1 said "we still have some money left, want to extend the period?" I was quite emphatic about needing a break first.
In a retrospective email exchange after it was all over, I made your same point, that funding 1000 people to feed bug reports to me and not helping me actually deal with them is a recipe for overload. Fortunately in this case it was only short-term, and I didn't have to do _all_ the triage myself – so surely it's even worse in cases where neither of those things is true.
Mind you, paying me wouldn't have stopped me being overloaded, in this case! It would have been nice, but in this instance, wouldn't have addressed the biggest problem.
Alexandre Dulaunoy
Simon Tatham
Jyrgen N