| ▲ | Wowfunhappy 6 days ago |
| I can understand if it's code the reporting person actually wrote, but if it's just someone else on the project that seems pretty ridiculous. |
|
| ▲ | layer8 6 days ago | parent | next [-] |
| People could fix each other’s intentionally introduced bugs and make a living that way. The argument is less convincing when the bugs are a couple years old. There could be an exemption for that, but it’s also more work to verify (Git histories can be fabricated). |
| |
| ▲ | 6 days ago | parent | next [-] | | [deleted] | |
| ▲ | Wowfunhappy 6 days ago | parent | prev [-] | | They could anyway, one person intentionally introduced bugs and the other reports them. The reporter just avoids ever contributing code themself. But doing any of this repeatedly without getting caught seems hard. |
|
|
| ▲ | motorest 6 days ago | parent | prev [-] |
| Not ridiculous. It's a clear conflict of interests, and represents a perverse incentive. |
| |
| ▲ | baq 6 days ago | parent [-] | | And it’s easy to fix - sponsor a contributor. It’d be cheaper than the many meetings that were needed to make the removal decision. | | |
| ▲ | motorest 6 days ago | parent [-] | | > And it’s easy to fix - sponsor a contributor. It’d be cheaper than the many meetings that were needed to make the removal decision. I don't think that's how it works. I mean, how many problems did you ever fixed by dictating how others should spend their own money? Also, apparently some of these issues exist for over a decade. That alone tells you how serious the problem is, and how urgent it needs fixing. | | |
| ▲ | hmcq6 5 days ago | parent | next [-] | | > Also, apparently some of these issues exist for over a decade. That alone tells you how serious the problem is The "serious problem" is that they've known about bugs for 20 years and not committed resources to fix it. The problem is the money. | | |
| ▲ | motorest 5 days ago | parent [-] | | > The "serious problem" is that they've known about bugs for 20 years and not committed resources to fix it. The problem is the money. Who is "they"? Project maintainers? Project users? You? > The problem is the money. So this is a project that didn't require any funding for decades in order to exist. Explain exactly why you believe money is an issue. | | |
| ▲ | hmcq6 5 days ago | parent [-] | | I misunderstood and thought this was a google sponsored project and not an open bug bounty. Even still, you're responding in a thread about someone who is trying to do legitimate work on this project and google is not honoring the bug bounty system. A problem google could fix if they just assigned someone to manually review the case, it would take like 15 minutes. |
|
| |
| ▲ | baq 6 days ago | parent | prev [-] | | I'm just saying they've got a bug bounty program but not a bug prevention bounty program, or even a fix a known bug bounty program. The security team has a budget for the realized risks but predictably not for managing unrealized risk in the open source community which they depend on. | | |
| ▲ | x0x0 6 days ago | parent [-] | | > a bug prevention bounty program Particularly for a dep they've chosen to ship in their browser. |
|
|
|
|
