[OPEN-ILS-GENERAL] Bug bounties

[Dan Scott]

On Tue, Jul 30, 2013 at 05:35:04PM -0400, Rogan Hamby wrote:
> I haven't heard any dissents and at least two in favors of (you and I) so
> in the spirit of a meritocracy I would say Kathy that at the least if you
> want to come up with a model of how to handle it, go ahead and let's start
> poking at the details.
> 
> I won't derail things with my wishlist for accessibility.  :)
> 
> I agree that wishlist bugs shouldn't be on the list.

Okay, I'll offer a conditional dissent then. I worry that the
introduction of financial incentives will disrupt the contributor
ecology. As soon as money is in the picture, all sorts of interesting
side effects can occur.

For example, will this act as a disincentive for open communication
and collaboration about potential alternatives for fixing a bug (because
potential fixers jealously guard their approaches from one another)?
Will it reduce the interest of current developers in providing
assistance to new contributors? Will it introduce difficulties in trying
to divvy up credit for bug fixes? Do reviewers of bug fixes get any
share of the cash? Do reporters of bugs who provide reproducible test
cases get any share of the cash? Is there any requirement to providing
regression tests (to prevent the bug from ever rearing its head again)
as part of the bug fix? Will contributors of new functionality bury bugs
they know about in the interest of getting paid twice, once for the new
functionality, and then later for the bug fixes?

My conditional dissent would like some examples of projects where bug
bounties have actually worked. The examples that I've seen have focused
on reporting security vulnerabilities. If there are a few solid cases
out there that can serve as a model for us, then I would turn my dissent
into cautious assent.

It could be that I've just read one too many Dilbert cartoons...