More Than 10% of Mozilla Bug Finders Refuse Cash 115
angry tapir writes "The open-source Mozilla project has been offering cash bounties for security bugs for six years now, but often bug finders simply turn down the cash. Between 10 percent and 15 percent of the serious security bugs reported since Mozilla launched its bug bounty program have been provided free of charge, according to Mozilla."
More evidence... (Score:5, Funny)
Sincerely,
S. Ballmer.
Re: (Score:1)
Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.
Re:More evidence... (Score:5, Insightful)
Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.
That's effectively what they're doing - the 'charity' of their choice being the Mozilla foundation.
Re: (Score:1)
I was thinking of something more along the lines of OLPC or any of those charitable organizations that help spread technology to people/places that regularly wouldn't have access to it.
Re: (Score:1)
Nothing is stopping the bug-hunters from accepting the cash and donating it.
Re: (Score:1, Interesting)
Re:More evidence... (Score:5, Insightful)
Ah, so what you really meant is:
Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of my choice. Just sayin'.
Re: (Score:3, Insightful)
Bullshit. The Mozilla foundation is not a charity nor is giving them money charity.
Re: (Score:2)
Well of course it depends on your definition of "charity", but under general US/IRS usage [wikipedia.org], yes they are [mozilla.org].
Re: (Score:2)
IANAL, although I did have an intro course on US business law. The Mozilla foundation appears to be a non-profit, and not a charity, as you claim. There's a difference between the two.
Also, Mozilla Corporation is a for-profit subsidiary of the former, though I'm not sure if they're actually the ones giving out these bounties.
Re: (Score:2)
Well fuck me, I might be wrong here. Somebody way down the thread posted a link to California registration of "charitable funds". I'm too hungry to decipher the 30 pages right now, but it very well might be a charity, at least legally by California's registration.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Insightful)
It's a non-profit organization. That doesn't make it a charity, it just means it has a special tax status.
The fact that they accept donation gives some credence to the idea of calling them a charity; that they make far more money from their business activities at least makes it questionable.
Re: (Score:2)
It is creating something valuable (Firefox, etc.) and giving it away free of charge. Charities give away things free of charge. They’re not terribly different... the only differences are what they’re giving away and who they’re giving it to and under what conditions or circumstances.
Re: (Score:1)
That would then make Opera Software (to take an example in the same domain) a charity using the same test.
Re: (Score:2)
I’d omitted/forgotten that a charity also needs to be a non-profit organisation (as maxume had already noted that Mozilla Foundation is a NPO) – perhaps I should have included it.
Re:More evidence... (Score:5, Informative)
Source [timesonline.co.uk] And, California registration by the Mozilla Foundation as a charitable trust [mozilla.org].
Re: (Score:2, Informative)
Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.
Maybe you should read the article?
"A lot of people would say, 'Don't worry about it. Donate it to the EFF [Electronic Frontier Foundation] or just send me a T-shirt,'"
Re: (Score:2)
Re: (Score:3, Informative)
b) Talking about socialism, good thing we don't have unions in software industry or they wouldn't look too kindly on all these people working for free.
Re: (Score:2)
What I really want to know is how many of the people who Got Paid for fixing a serious bug fix were the ones who made it in the first place, or were they the ones that didn't take the money for the fix (as a matter of ethical pride)
10% really isn't that much.
Re: (Score:1)
But 90% accept the cash... (Score:1, Insightful)
Another nail in the coffin of socialism. Cash is the ultimate motivator.
Re:But 90% accept the cash... (Score:5, Interesting)
That's not necessarily true. Is 10% higher or lower than in previous years? Is the data such that a trend can be measured? besides, I wouldn't say that cash is necessarily the a direct motivator. Identifying that a bug exists is often times easier than being able to fix it, and tipping off the people who are in a position to fix a problem in a piece of software you rely on is also a valid motivation.
Alternatively, getting your name out there as someone who is smart and gets things done can and often does lead to other opportunities.
Re: (Score:2)
Re: (Score:2)
I admin FreeBSD and Linux systems and do a bunch of q/a work on FreeBSD-based "black box" type networking devices for a specific type of client. I don't do a lot of dev work, what I do is mostly in Perl and BASH. I didn't mean to suggest that finding the bug in the code is easy, but that knowing when there is a problem is easier than doing anything about it.
My roll in q/a involves a lot of use-case testing, and gathering packet capture and log information for use in debugging any potential issues before a
Re: (Score:2)
That's not necessarily true. Is 10% higher or lower than in previous years? Is the data such that a trend can be measured? besides, I wouldn't say that cash is necessarily the a direct motivator. Identifying that a bug exists is often times easier than being able to fix it, and tipping off the people who are in a position to fix a problem in a piece of software you rely on is also a valid motivation.
Alternatively, getting your name out there as someone who is smart and gets things done can and often does lead to other opportunities.
Not only your last statement but /*I*/ refuse cash back . It is OSS so giving back is /*my personal*/ way of thanking the rest of the community for their hard work and developing a very good product as a whole , improving that product and also giving free alternatives to commercial software is the main thing /* imho*/.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Accepting offered cash does not mean that was the motivation of finding the bug in the first place.
Re: (Score:2)
Accepting offered cash does not mean that was the motivation of finding the bug in the first place.
devs have to eat right ?
Re: (Score:2)
Re: (Score:3, Insightful)
There are no statistics of how many people who accept the cash donate it to other open source projects who need the cash.
Re: (Score:1)
Re: (Score:2)
Like the Freak Brothers said back in the seventies, "Dope will get you through times of no money better than money will get you through times of no dope.
Sex == cash. [slashdot.org]
Actually (Score:5, Funny)
There was a bug in the bug submit form. I couldn't check off the box at the bottom that said "Wants Cash".
Does that form work in Netscape?
Re:Actually (Score:5, Funny)
Only in IE6 i'm afraid. :(
Re: (Score:1)
Re: (Score:2)
Goddamn Beatles! (Score:2)
And their subliminal programing. [youtube.com]
Job may not allow you to accept cash bounty (Score:5, Informative)
If one were to find the bug in the course of one's job, the employer may not allow you to accept a cash bounty. This is certainly the case in the US Federal Government, as well as many Federal Contractors.
Re: (Score:2)
Reproduce the bug from home and send in the error report from there. You aren’t supposed to be using unapproved software anyway, and Firefox probably isn’t approved and installed on the computers by the IT department in most workplaces. Although, admittedly, the IT department might turn a blind eye toward people so long as they aren’t causing other problems.
Re: (Score:1, Insightful)
My personal experience is that developers at many or most US federal contractors have no problems running Firefox.
Many workplaces will relax such rules for workers who develop software as part of their jobs, and these are the individuals who will be finding bugs in the first place.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
The situation may also become marginal or not worth the effort for foreigners to accept the cash, if they need to hire a tax lawyer to deal with foreign income, as most countries don't consider foreign prizes ("windfall") or "bounties" as tax-free (or zero-rate tax rate) income.
Let alone you live / work in a country that is not trusting of US Government and US organizations (think: Cuba, China, Philippines, Latin America), may consider it "proof" of being a spy. Why else would some foreign US non-profit org
"Often"? (Score:3, Insightful)
Not too sure what connotations "often" has for others but 10-15% doesn't really seem that "often"
Re:"Often"? (Score:5, Insightful)
Re: (Score:2)
I've never taken accounting, but when money is involved generally saying 10-15% is not a good idea.
( Number of bugs people who refused/Number of bugs submitted ) * 100
So if 1 person refused out of 4.
( 1 / 4 ) * 100 .25 * 100
25
25%
How can they only estimate 10-15%? Seems like a feeling more than a concrete report.
Re: (Score:2)
It probably depends on whether you calculate it based on the number of bugs whose finder refused cash or the number of researchers who refused cash for the bug reports they had submitted. The article states that over 120 bugs have been found by about 80 researchers – some of the researchers submitted more than one bug.
Re: (Score:2)
Re: (Score:2)
I just looked up "often" in the dictionary. The definition provides reads, "frequently, many times".
I'd say you're unclear on the definition of often.
10%-15% may be more often than expected, but by no stretch of the imagination is it often.
Re: (Score:2)
Both “frequently” and “many” are relative terms. You can have something occur more or less frequently than expected, or more or fewer times than expected.
“More often than not” is unambiguous and definite.
Re: (Score:2)
They are relative, but not completely meaningless. If you plot "often", "frequently" and perhaps "many times" on a scale from 0 to 100% ("never" to "always"), I, and I'd imagine... most people would expect to find all of the three significantly further to the right than the first tenth or 15%. The article (or the summary, I didn't RTFA) attempts to spin the story to make it sound like a higher number than it actually is.
I suggest some alternative headlines:
"Almost 90% of people take money from a non-profit
Re: (Score:2)
What’s misleading about “More Than 10% of Mozilla Bug Finders Refuse Cash”?
Re: (Score:2)
That headline is not too bad, "more than" of course means just that, a>b, but it is often used similarly to "up to". The actual number can be 10.01% and it would be still technically accurate, which is admittedly the best kind of accurate.
Mostly though, it's just the perception that it gives the reader. Would you not say that it makes this result sound good, while, let's say, "More Than 85%* of Mozilla Bug Finders Take the Cash" paint a somewhat different picture?
*Note that this is based on their highest
Re: (Score:1)
Re: (Score:2)
I’m personally all for accepting free blood money. You can probably put it to a more worthy use (or less destructive one, should we say) than they would if you refused it, after all.
If you want to make a point about it, it’s more effective to accept the money then turn around and give it to a charity that the blood-money givers would disapprove of [kmbz.com].
Multiple reasons (Score:2)
Some people may not be able to accept the bounty, and others may simply feel they have already gotten sufficient value (free browser!).
Though even those with altruistic motives would find it hard to turn down $3000.
Re: (Score:2)
nor would I accept it (Score:4, Interesting)
I've helped out in projects which help the wider community but which are controlled in some way by organisations which I do not approve of. In such cases, I refuse to take anything but expenses. Benefitting from some organisation of which you disapprove is morally bankrupt, but helping out a good cause which happens to be promoted by that organisation is a fine act.
To do a bit of occupatio:
1. No, the effort in finding the bug isn't an expense, unless you're one of those consumer-citizen types who translates each hour into some cash value;
2. Something exists outside of its ownership. It is not inconsistent to judge that Firefox is good but the Mozilla Foundation is bad.
Re: (Score:2, Funny)
this post took me 27 seconds to read... you owe me $1.75.
Re: (Score:2)
(a lot of my tax dollars went to cleaning, i support that, but i would support BP paying me back w interest)
Re: (Score:2)
Assuming that some community of volunteers could reasonably do the work, then it depends on whether you think clearing up the oil spill or spiting BP is more important.
The poorest people in the world need to be left to suffer slow death by starvation, because helping them will only encourage their corrupt governments, right?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
If you're going to fix the bugs anyway then why not take the money and put it into an organization you do support?
Re: (Score:2)
More papers to deal with at tax time.
Re: (Score:2)
Imagine that the Puppy Killing Party of North America (Republican/Democrat/ADL/ADC/AMI/PETA/whatever sinks your boat) saw that you happened to do something in some way aligned with their mission, even if not directly killing puppies.
They approached you and said, "On behalf of the puppy killers of North America, we're happy with what you've done and we'd like to present you with this cash sum of $1500."
What would you do?
Re: (Score:2)
Accept the money and donate it to the Humane Society. Then call up the local news, they’d likely want to report on it.
Re: (Score:2)
The Humane Society does their report. The Puppy Killing Party counterbalances by indicating that they're not for anything inhumane, just campaigning in support of outright killing of puppies. Hell, they've proven how much they are against anything truly evil by happily giving a cash sum to you to donate to the Humane Society. The Party leader gives another $500 to show how much he cares.
And the tenth time that the Humane Society receives a $1500 donation from the Puppy Killing Party thanks to your work, how
Re: (Score:2)
I’m pretty sure the Humane Society is also against the outright killing of puppies, so your argument is completely ridiculous. And the tenth time the Humane Society receives a $1500 donation, they will have $15,000 worth of the Puppy Killing Party’s money that I have no doubt they will gladly put to better use than the Puppy Killing Party would have.
When someone pays you for work you do, you're working for them. If you don't want to work for them, you have no choice but to refuse their payment.
Sometimes you have no choice but to accept the payment and continue to do the work. [kmbz.com]
Re: (Score:2)
I’m pretty sure the Humane Society is also against the outright killing of puppies,
What does "outright killing" mean? That puppies in general shouldn't be killed? We at the Puppy Killing Party of America don't believe that a puppy should necessarily be killed on sight. No, we have a set of rational criteria for puppy control. If a sensible proportion of puppies are killed, remaining puppies have the strength and resources to be properly looked after. Whereas many American so-called "humane" societies are happy to kill puppies at the request of the owner - though they'll use words like "eu
Re: (Score:2)
When you start discussing the finer points of the ethics of killing puppies, you can be pretty sure that your analogy has become unwieldy.
Seeing as you are not BadAnalogyGuy (or are you??), I advise that you just let it die...
Re: (Score:2)
"Give a small amount of money to a charity which is perceived as opposing you," is a classical tactic, accompanied by rhetoric (not my opinion!) to disguise the organisation's true mission. What matters here is how the de facto public relations officer for the Puppy Killing Party feels about his position.
The PKP will continue giving money as long as the drop in an ocean payment to the Humane Society continues giving such great publicity.
Re: (Score:2)
Publicity !== good publicity.
Re: (Score:2)
When someone pays you for work you do, you're working for them. If you don't want to work for them, you have no choice but to refuse their payment.
Unless you've entered into a contract, that doesn't hold.
If I help fix your car, and you 'pay me' with a six pack of beer we're done. If you then use that car to run over orphans I won't return the beer on moral grounds. I would however refuse to help you fix your car again. (I would have refused you in the first instance if I'd known what you were going to do, but one can only act on the knowledge one has at the time.)
To fit into your analogy, I graciously accept the $2000 from the PKP, then refuse to help
Re: (Score:2)
To fit into your analogy, I graciously accept the $2000 from the PKP, then refuse to help them again.
You know from the start that your work is incidentally helping the Mozilla Foundation.
But even if you didn't, what if your work happened to mean that you regularly do stuff which you find out incidentally helps the PKP (e.g. you write some open source product from which they greatly benefit)? Do you refuse further payments? Stop working on the product?
Re: (Score:2)
It's all about a cost benefit analysis.
How much does the PKP benefit from my work? How much does the humane society benefit from my work? If the sums of the goods outweigh the sums of the evils then I continue. Accepting any money the PKP wants to give me.
Perhaps I would give more credence to feedback from the humane society than from the PKP, adding the features that the humane society wants, but not those that the PKP wants. If the PKP happens to incidentally benefit from an improvement I make for the hu
Re: (Score:2)
I can see where your mindset is, but your morality should define what you do, not whether or not you get paid for it. By helping an organisation with whom you disagree, you've already betrayed your morality, so you may as well get something for it.
Re: (Score:2)
So... doing work which benefits an organisation is wrong, but it can be cancelled out somewhat if they pay me. IOW, getting a job at Puppy Killing Party HQ is OK as long as my salary is high enough ;-).
Look, you're not being paid for the precise value of your work to PKP (or at any non-cooperative firm, but that's another discussion). You're being given a token sum to encourage you to work more and to make them look good. No amount paid out will be sufficient to do them significant damage if used against th
No Money (Score:1)
Re: (Score:1)
What Nobel people... (Score:1, Flamebait)
I wonder if the Firefox people do the same thing in reverse. They would call the potential bounty winners (maybe
Something more desired than cash. (Score:5, Funny)
To seal the deal i tell them i didn't want the money as i'm already super rich. Tomorrow i leave for africa to help impoverished children install Ubuntu.
Re: (Score:1)
These guys are probably finding bugs in Mozilla to get laid. I know my wingmen and i have used that line to great success many times. You wouldn't believe how fast the ladies forget the fighter pilots, basketball players, and CIA agents at the bar when I tell them about a DOM parsing error i discovered!
To seal the deal i tell them i didn't want the money as i'm already super rich. Tomorrow i leave for africa to help impoverished children install Ubuntu.
From Ubuntu (philosophy) [wikipedia.org]
Ubuntu is an ethic or humanist philosophy focusing on people's allegiances and relations with each other. The word has its origin in the Bantu languages of southern Africa. Ubuntu is seen as a classical African concept. The Ubuntu operating system was named for this principle.
Re: (Score:2)
Oh man, and I thought MY post was clever.
This made my day.
Percentage at work? (Score:1)
In other news (Score:4, Insightful)
Almost 90% of Mozilla Bug Finders Accept Cash Reward!
Microsost wont pay.... (Score:1)
No money, please. (Score:2)
Re:15% is not a lot (Score:5, Interesting)
It's more often than one would expect. If I walked around handing out free cash, and 49% of people refused it (that is, less than 'may be called often' according to you), that is still much more often than most people would expected.
Finding bugs could be considered a job. If 10 to 15% of people don't expect to be paid for their work, wouldn't you agree that's significantly more than expected?
Re: (Score:1, Informative)
https://developer.mozilla.org/en/How_to_get_a_stacktrace_for_a_bug_report
https://developer.mozilla.org/en/Bug_writing_guidelines
Re: (Score:2)
I'd say ~20% for often. 50%+ is "usualy" and over 75% can be "most of the time" with "nearly always" reserved for over 90%. So, depending on how you want to spin this, it can be "bug submitters nearly always accept cash," or "often times, bug submitters reject cash" (rounding 15% up to 20% for often-ness). But, as I noted in a previous post, the important thing is which way the numbers are trending, not necessarily what the numbers are, when determining how good news this is. The story title is actually
Re: (Score:1)