Money for bugs

Microsoft's Gunnar Kudrjavets mentions the Mozilla Security Bug Bounty (get $500 by finding and reporting a security bug) and ponders the effect of money in the bug reporting process. Naturally, Gunnar's concept of a bug-finding competition with some teams getting money and some not is pretty far from everyday life. In truth, few people search for bugs. The reward would have to be really disproportionate to change that. But if you bump into a bug, the additional incentive just might make you report it.
Thinking of it in terms of probability, if your chance of getting the bounty is 1/100 per hour of work done, the expected value is $5/hour. Not many people would bother – at least not those with enough ability to actually go looking for security bugs. However, once you've discovered something you think that could qualify as a security bug (by pure chance, in your daily use), things change. If you can write the bug report in half an hour and there's a 50-50 chance of getting the prize, you've just netted yourself an expected value of $250 in 30 minutes. Most of us would take that opportunity.
So, paying for bugs mostly encourages reporting, not finding. However, from the software developers' perspective (and for a product with a sufficiently large user base) those two things end up being very close – it's likely every bug will be encountered by someone, and it's just a question of which ones get reported.
To return to Gunnar's original thoughts on the competition: I'd like to see it tested as well. I'm not certain money would make that much of a difference. The people most adept at finding serious bugs are probably more thrilled by the competition than possible money involved. Thus, my hypothesis is that if Gunnar's teams are top-of-the-field in the technical sense, money will be less of an object. If the teams consist of people who are less driven by ESR's hacker attitude, money might affect motivation enough to make a difference in the results. And of course, in the long term, if we're talking about how much QA organizations get paid for their daily job, money will become a motivating factor even for the technically most advanced teams.

August 21, 2004 В· Jouni Heikniemi В· Comments Closed
Posted in: Misc. programming