Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Mozilla Bug The Almighty Buck Technology

More Than 10% of Mozilla Bug Finders Refuse Cash 115

angry tapir writes "The open-source Mozilla project has been offering cash bounties for security bugs for six years now, but often bug finders simply turn down the cash. Between 10 percent and 15 percent of the serious security bugs reported since Mozilla launched its bug bounty program have been provided free of charge, according to Mozilla."
This discussion has been archived. No new comments can be posted.

More Than 10% of Mozilla Bug Finders Refuse Cash

Comments Filter:
  • by fuzzyfuzzyfungus ( 1223518 ) on Friday August 06, 2010 @09:31AM (#33161728) Journal
    More evidence, if any were needed, that "Open Source" software is a sinister communist plot that defies all sound economic principles.

    Sincerely,
    S. Ballmer.
    • by jornak ( 1377831 )

      Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.

      • by VJ42 ( 860241 ) * on Friday August 06, 2010 @09:45AM (#33161970)

        Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.

        That's effectively what they're doing - the 'charity' of their choice being the Mozilla foundation.

        • by jornak ( 1377831 )

          I was thinking of something more along the lines of OLPC or any of those charitable organizations that help spread technology to people/places that regularly wouldn't have access to it.

          • by Seumas ( 6865 )

            Nothing is stopping the bug-hunters from accepting the cash and donating it.

            • Re: (Score:1, Interesting)

              by Anonymous Coward
              Sure there is. Many of them probably are doing their work for a company. Major companies generally have positions on this that would preclude the "finder" from accepting (even for that moment required to donate it) any kind of a bonus or fee for their work since they were already paid for their work by their employer. I am pretty sure that explains this 10 - 15 percent right there. Not altruism. They are just constrained not to accept. Others are probably also constrained but choose to ignore their company
          • by kg8484 ( 1755554 ) on Friday August 06, 2010 @10:10AM (#33162378)

            Ah, so what you really meant is:

            Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of my choice. Just sayin'.

            • Re: (Score:3, Insightful)

              by Snaller ( 147050 )

              Bullshit. The Mozilla foundation is not a charity nor is giving them money charity.

              • by radish ( 98371 )

                Well of course it depends on your definition of "charity", but under general US/IRS usage [wikipedia.org], yes they are [mozilla.org].

                • IANAL, although I did have an intro course on US business law. The Mozilla foundation appears to be a non-profit, and not a charity, as you claim. There's a difference between the two.

                  Also, Mozilla Corporation is a for-profit subsidiary of the former, though I'm not sure if they're actually the ones giving out these bounties.

                  • Well fuck me, I might be wrong here. Somebody way down the thread posted a link to California registration of "charitable funds". I'm too hungry to decipher the 30 pages right now, but it very well might be a charity, at least legally by California's registration.

                    • by dubdays ( 410710 )
                      Just an FYI...From the Mozilla website: "The Mozilla Foundation is a California non-profit corporation exempt from federal income taxation under IRC 501(c)3. Donations are tax deductible for U.S. citizens. For donors outside of the United States, please consult with your tax advisor about whether your donation will be tax deductible."
      • Charity? Do you mean like the Mozilla Foundation?
        • Re: (Score:2, Insightful)

          by maxume ( 22995 )

          It's a non-profit organization. That doesn't make it a charity, it just means it has a special tax status.

          The fact that they accept donation gives some credence to the idea of calling them a charity; that they make far more money from their business activities at least makes it questionable.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.

        Maybe you should read the article?

        "A lot of people would say, 'Don't worry about it. Donate it to the EFF [Electronic Frontier Foundation] or just send me a T-shirt,'"

      • by AHuxley ( 892839 )
        Surgical kits, adult literacy, tropical medicine, animals, eye clinics, food banks, a laptop as a gift, lots of Ubuntu ect.
    • Re: (Score:3, Informative)

      a) 90% accept cash for their work. Evil bastards!

      b) Talking about socialism, good thing we don't have unions in software industry or they wouldn't look too kindly on all these people working for free.
    • What I really want to know is how many of the people who Got Paid for fixing a serious bug fix were the ones who made it in the first place, or were they the ones that didn't take the money for the fix (as a matter of ethical pride)

      10% really isn't that much.

  • by Anonymous Coward

    Another nail in the coffin of socialism. Cash is the ultimate motivator.

    • by bsDaemon ( 87307 ) on Friday August 06, 2010 @09:52AM (#33162112)

      That's not necessarily true. Is 10% higher or lower than in previous years? Is the data such that a trend can be measured? besides, I wouldn't say that cash is necessarily the a direct motivator. Identifying that a bug exists is often times easier than being able to fix it, and tipping off the people who are in a position to fix a problem in a piece of software you rely on is also a valid motivation.

      Alternatively, getting your name out there as someone who is smart and gets things done can and often does lead to other opportunities.

      • By your comment I cannot tell if you are a developer or someone not related to computers at all. Bug finding is not an easy task by any measure. Talk to your local Test Engineer.
        • by bsDaemon ( 87307 )

          I admin FreeBSD and Linux systems and do a bunch of q/a work on FreeBSD-based "black box" type networking devices for a specific type of client. I don't do a lot of dev work, what I do is mostly in Perl and BASH. I didn't mean to suggest that finding the bug in the code is easy, but that knowing when there is a problem is easier than doing anything about it.

          My roll in q/a involves a lot of use-case testing, and gathering packet capture and log information for use in debugging any potential issues before a

      • That's not necessarily true. Is 10% higher or lower than in previous years? Is the data such that a trend can be measured? besides, I wouldn't say that cash is necessarily the a direct motivator. Identifying that a bug exists is often times easier than being able to fix it, and tipping off the people who are in a position to fix a problem in a piece of software you rely on is also a valid motivation.

        Alternatively, getting your name out there as someone who is smart and gets things done can and often does lead to other opportunities.

        Not only your last statement but /*I*/ refuse cash back . It is OSS so giving back is /*my personal*/ way of thanking the rest of the community for their hard work and developing a very good product as a whole , improving that product and also giving free alternatives to commercial software is the main thing /* imho*/.

    • by Bloopie ( 991306 )
      So volunteers working for free is now called socialism?
      • by AHuxley ( 892839 )
        Philanthropy has family or band name value, the tax bonus and endless feel good publicity. Anonymous volunteers working for free are unfair competition in many areas.
    • Accepting offered cash does not mean that was the motivation of finding the bug in the first place.

      • Accepting offered cash does not mean that was the motivation of finding the bug in the first place.

        devs have to eat right ?

    • naw, i am semi-retired, i own a 10 wheeler dump truck that can haul 10 square yards of sand, gravel or dirt/top-soil, i work it when i want to so i am not desperate for money, if i found a bug or vulnerability in any open source software that is free i will submit a bug report through the usual channels for free, since they are good enough to give me free software i will return the favor to help them improve the product for free, (sounds fair to me and most everyone else)
    • Re: (Score:3, Insightful)

      There are no statistics of how many people who accept the cash donate it to other open source projects who need the cash.

    • sex > cash
      • by mcgrew ( 92797 ) *

        Like the Freak Brothers said back in the seventies, "Dope will get you through times of no money better than money will get you through times of no dope.

        Sex == cash. [slashdot.org]

  • Actually (Score:5, Funny)

    by Monkeedude1212 ( 1560403 ) on Friday August 06, 2010 @09:33AM (#33161762) Journal

    There was a bug in the bug submit form. I couldn't check off the box at the bottom that said "Wants Cash".

    Does that form work in Netscape?

  • And their subliminal programing. [youtube.com]

  • by catherder_finleyd ( 322974 ) on Friday August 06, 2010 @09:43AM (#33161940)

    If one were to find the bug in the course of one's job, the employer may not allow you to accept a cash bounty. This is certainly the case in the US Federal Government, as well as many Federal Contractors.

    • Reproduce the bug from home and send in the error report from there. You aren’t supposed to be using unapproved software anyway, and Firefox probably isn’t approved and installed on the computers by the IT department in most workplaces. Although, admittedly, the IT department might turn a blind eye toward people so long as they aren’t causing other problems.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        My personal experience is that developers at many or most US federal contractors have no problems running Firefox.

        Many workplaces will relax such rules for workers who develop software as part of their jobs, and these are the individuals who will be finding bugs in the first place.

    • Re: (Score:3, Insightful)

      by thejam ( 655457 )
      Also, your work visa may not allow you to accept cash for work of another employer.
    • Re: (Score:3, Informative)

      by plcurechax ( 247883 )

      The situation may also become marginal or not worth the effort for foreigners to accept the cash, if they need to hire a tax lawyer to deal with foreign income, as most countries don't consider foreign prizes ("windfall") or "bounties" as tax-free (or zero-rate tax rate) income.

      Let alone you live / work in a country that is not trusting of US Government and US organizations (think: Cuba, China, Philippines, Latin America), may consider it "proof" of being a spy. Why else would some foreign US non-profit org

  • "Often"? (Score:3, Insightful)

    by Thats_Pipe ( 837838 ) on Friday August 06, 2010 @09:43AM (#33161942) Journal
    "... often bug finders simply turn down the cash. Between 10 percent and 15 percent ..."

    Not too sure what connotations "often" has for others but 10-15% doesn't really seem that "often"
    • Re:"Often"? (Score:5, Insightful)

      by correnos ( 1727834 ) on Friday August 06, 2010 @09:51AM (#33162090)
      In the context of "here have some cash", 15% is pretty often.
      • I've never taken accounting, but when money is involved generally saying 10-15% is not a good idea.

        ( Number of bugs people who refused/Number of bugs submitted ) * 100

        So if 1 person refused out of 4.

        ( 1 / 4 ) * 100 .25 * 100
        25

        25%

        How can they only estimate 10-15%? Seems like a feeling more than a concrete report.

        • It probably depends on whether you calculate it based on the number of bugs whose finder refused cash or the number of researchers who refused cash for the bug reports they had submitted. The article states that over 120 bugs have been found by about 80 researchers – some of the researchers submitted more than one bug.

    • You seem to be confusing "often" with "more often than not". They aren't the same thing.
      • I just looked up "often" in the dictionary. The definition provides reads, "frequently, many times".

        I'd say you're unclear on the definition of often.

        10%-15% may be more often than expected, but by no stretch of the imagination is it often.

        • Both “frequently” and “many” are relative terms. You can have something occur more or less frequently than expected, or more or fewer times than expected.

          “More often than not” is unambiguous and definite.

          • They are relative, but not completely meaningless. If you plot "often", "frequently" and perhaps "many times" on a scale from 0 to 100% ("never" to "always"), I, and I'd imagine... most people would expect to find all of the three significantly further to the right than the first tenth or 15%. The article (or the summary, I didn't RTFA) attempts to spin the story to make it sound like a higher number than it actually is.

            I suggest some alternative headlines:
            "Almost 90% of people take money from a non-profit

            • What’s misleading about “More Than 10% of Mozilla Bug Finders Refuse Cash”?

              • That headline is not too bad, "more than" of course means just that, a>b, but it is often used similarly to "up to". The actual number can be 10.01% and it would be still technically accurate, which is admittedly the best kind of accurate.

                Mostly though, it's just the perception that it gives the reader. Would you not say that it makes this result sound good, while, let's say, "More Than 85%* of Mozilla Bug Finders Take the Cash" paint a somewhat different picture?

                *Note that this is based on their highest

    • by JLennox ( 942693 )
      If this was Microsoft it would be "15% of people refuse blood money"
  • Some people may not be able to accept the bounty, and others may simply feel they have already gotten sufficient value (free browser!).

    Though even those with altruistic motives would find it hard to turn down $3000.

    • it's $3000! holy shit!
      • step 1: contribute bug to mozilla
      • step 2: report bug
      • step 3: go directly to PROFIT!
  • by FuckingNickName ( 1362625 ) on Friday August 06, 2010 @09:53AM (#33162132) Journal

    I've helped out in projects which help the wider community but which are controlled in some way by organisations which I do not approve of. In such cases, I refuse to take anything but expenses. Benefitting from some organisation of which you disapprove is morally bankrupt, but helping out a good cause which happens to be promoted by that organisation is a fine act.

    To do a bit of occupatio:

    1. No, the effort in finding the bug isn't an expense, unless you're one of those consumer-citizen types who translates each hour into some cash value;

    2. Something exists outside of its ownership. It is not inconsistent to judge that Firefox is good but the Mozilla Foundation is bad.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      this post took me 27 seconds to read... you owe me $1.75.

    • but nothing helps organizations more than getting something for free. what's better for BP? if the community all went down and cleaned up the gulf for free? or if they had to pay through the ass to clean it up?

      (a lot of my tax dollars went to cleaning, i support that, but i would support BP paying me back w interest)
      • Assuming that some community of volunteers could reasonably do the work, then it depends on whether you think clearing up the oil spill or spiting BP is more important.

        The poorest people in the world need to be left to suffer slow death by starvation, because helping them will only encourage their corrupt governments, right?

        • Well, the important task is to clean/help. Finger pointing and punitive measures aren't going to address the situation. However, I don't see it as morally bankrupt to be compensated for that help.
    • by Yvanhoe ( 564877 )
      I personally consider moral to do the opposite : provide for free a service to an organization you approve of, make pay organizations you disapprove of. I am not sure how this "moral bankruptcy thing" works.
    • If you're going to fix the bugs anyway then why not take the money and put it into an organization you do support?

      • More papers to deal with at tax time.

      • Imagine that the Puppy Killing Party of North America (Republican/Democrat/ADL/ADC/AMI/PETA/whatever sinks your boat) saw that you happened to do something in some way aligned with their mission, even if not directly killing puppies.

        They approached you and said, "On behalf of the puppy killers of North America, we're happy with what you've done and we'd like to present you with this cash sum of $1500."

        What would you do?

        • Accept the money and donate it to the Humane Society. Then call up the local news, they’d likely want to report on it.

          • The Humane Society does their report. The Puppy Killing Party counterbalances by indicating that they're not for anything inhumane, just campaigning in support of outright killing of puppies. Hell, they've proven how much they are against anything truly evil by happily giving a cash sum to you to donate to the Humane Society. The Party leader gives another $500 to show how much he cares.

            And the tenth time that the Humane Society receives a $1500 donation from the Puppy Killing Party thanks to your work, how

            • I’m pretty sure the Humane Society is also against the outright killing of puppies, so your argument is completely ridiculous. And the tenth time the Humane Society receives a $1500 donation, they will have $15,000 worth of the Puppy Killing Party’s money that I have no doubt they will gladly put to better use than the Puppy Killing Party would have.

              When someone pays you for work you do, you're working for them. If you don't want to work for them, you have no choice but to refuse their payment.

              Sometimes you have no choice but to accept the payment and continue to do the work. [kmbz.com]

              • I’m pretty sure the Humane Society is also against the outright killing of puppies,

                What does "outright killing" mean? That puppies in general shouldn't be killed? We at the Puppy Killing Party of America don't believe that a puppy should necessarily be killed on sight. No, we have a set of rational criteria for puppy control. If a sensible proportion of puppies are killed, remaining puppies have the strength and resources to be properly looked after. Whereas many American so-called "humane" societies are happy to kill puppies at the request of the owner - though they'll use words like "eu

                • When you start discussing the finer points of the ethics of killing puppies, you can be pretty sure that your analogy has become unwieldy.

                  Seeing as you are not BadAnalogyGuy (or are you??), I advise that you just let it die...

                  • "Give a small amount of money to a charity which is perceived as opposing you," is a classical tactic, accompanied by rhetoric (not my opinion!) to disguise the organisation's true mission. What matters here is how the de facto public relations officer for the Puppy Killing Party feels about his position.

                    The PKP will continue giving money as long as the drop in an ocean payment to the Humane Society continues giving such great publicity.

            • When someone pays you for work you do, you're working for them. If you don't want to work for them, you have no choice but to refuse their payment.

              Unless you've entered into a contract, that doesn't hold.

              If I help fix your car, and you 'pay me' with a six pack of beer we're done. If you then use that car to run over orphans I won't return the beer on moral grounds. I would however refuse to help you fix your car again. (I would have refused you in the first instance if I'd known what you were going to do, but one can only act on the knowledge one has at the time.)

              To fit into your analogy, I graciously accept the $2000 from the PKP, then refuse to help

              • To fit into your analogy, I graciously accept the $2000 from the PKP, then refuse to help them again.

                You know from the start that your work is incidentally helping the Mozilla Foundation.

                But even if you didn't, what if your work happened to mean that you regularly do stuff which you find out incidentally helps the PKP (e.g. you write some open source product from which they greatly benefit)? Do you refuse further payments? Stop working on the product?

                • It's all about a cost benefit analysis.

                  How much does the PKP benefit from my work? How much does the humane society benefit from my work? If the sums of the goods outweigh the sums of the evils then I continue. Accepting any money the PKP wants to give me.

                  Perhaps I would give more credence to feedback from the humane society than from the PKP, adding the features that the humane society wants, but not those that the PKP wants. If the PKP happens to incidentally benefit from an improvement I make for the hu

    • I can see where your mindset is, but your morality should define what you do, not whether or not you get paid for it. By helping an organisation with whom you disagree, you've already betrayed your morality, so you may as well get something for it.

  • The true geek will not take the money. They respect open source and want to help the open source community. Plus it's fun to find holes in software. No to mention firefox is such a great browser why not try and make it better.
  • I have heard that the Nobel prize people will call and ask someone if they would accept the prize if it were offered them. If they say yes, then it's "Great! You have been offered a Noble Prize in %category%!". But if the potential winner indicates they are not really interested in material prizes, they just never offer the prize at all. That way they can say no one has ever turned down a Nobel.

    I wonder if the Firefox people do the same thing in reverse. They would call the potential bounty winners (maybe
  • by shadowrat ( 1069614 ) on Friday August 06, 2010 @10:09AM (#33162372)
    These guys are probably finding bugs in Mozilla to get laid. I know my wingmen and i have used that line to great success many times. You wouldn't believe how fast the ladies forget the fighter pilots, basketball players, and CIA agents at the bar when I tell them about a DOM parsing error i discovered!

    To seal the deal i tell them i didn't want the money as i'm already super rich. Tomorrow i leave for africa to help impoverished children install Ubuntu.
    • by Maarx ( 1794262 )

      These guys are probably finding bugs in Mozilla to get laid. I know my wingmen and i have used that line to great success many times. You wouldn't believe how fast the ladies forget the fighter pilots, basketball players, and CIA agents at the bar when I tell them about a DOM parsing error i discovered!

      To seal the deal i tell them i didn't want the money as i'm already super rich. Tomorrow i leave for africa to help impoverished children install Ubuntu.

      From Ubuntu (philosophy) [wikipedia.org]

      Ubuntu is an ethic or humanist philosophy focusing on people's allegiances and relations with each other. The word has its origin in the Bantu languages of southern Africa. Ubuntu is seen as a classical African concept. The Ubuntu operating system was named for this principle.

    • Oh man, and I thought MY post was clever.

      This made my day.

  • What percentage of the individuals who find a bug are currently on work time? If 10% of found bugs are on work time then they may not be able to accept cash from another company while being paid by their current employer. Discovering a bug on work time just means you are doing your job.
  • In other news (Score:4, Insightful)

    by Zepalesque ( 468881 ) on Friday August 06, 2010 @02:00PM (#33166340)

    Almost 90% of Mozilla Bug Finders Accept Cash Reward!

  • because they'd go broke
  • I'll take uncut diamonds or bearer bonds.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...