Ask HN: How do you find developers for open source bug bounties?
Background: There's a WebRTC Chromium bug that is making life difficult for us. I'd like to pay a developer to fix it, but I don't know where/how to find people.
But this leads to a higher level question. When you want to sponsor open source bug fixes and/or feature and there isn't a clear "sponsor" link or button, how do you find qualified people? For example, is there a site/app you typically search?
69 comments
[ 3.9 ms ] story [ 124 ms ] thread2. extract emails of the contributors that are involved in what you need using something like this: git log --pretty=format:"%ad - %ae - %ce"
3. make them an offer
note: I mean to imply, the person that asked the question likely has a budget far lower than the person qualified to do the work is willing to accept.
Have you filed a bug in the project's issue tracker? Has the project team not followed up? Is there a link to this issue?
I believe to write good bug reports, and put serious effort in it to provide test cases, describe the environment the bug thrives in, make assumptions on what may be wrong, etc. A good bug report takes half an hour of my time, easily. Only to then be ignored for 15+ years and eventually silently closed because "we don't use that architecture anymore". Looking at you, KDE, and Atlassian (= the problem exists regardless on the monetarization format).
It's just no longer worth my time.
[0] https://github.com/Expensify/App/issues?q=is%3Aopen+is%3Aiss...
I've once considered it, but the public bounties that I could find were so laughably low that I just saw no way to make it work. <$500 for a bug that would take at least a week to fix? I guess it's a nice tip if you were going to work on it anyway, but it makes no sense for me to schedule time to work on that bounty when pretty much any other job would pay 5 - 10 times as much.
I guess it could work if there were a lot of bounties for a project that you are familiar with, so that you can fix them quickly, but there are so few bounties available that you probably have nothing to do after a week or so.
Anyway I find it a bit weird the topic is asked at all. Why didn’t the OP just cold contacted committers?
What I do know is that they tend to sell their exploits through exploit brokers like Zerodium.
One is getting paid to write code that fixes bugs or adds functionality to open source projects. (Pays very little and we suspect nobody makes a living from)
The other is doing security research and reporting on vulnerabilities. Here typically no fix is provided. You are paid for the discovery. Plenty of good researchers make a living on these security bounties
You probably won't get rich from doing $500 bug bounties.
But there are hackathons with bounties in the $1000-$10000 range.
Do 2-4 of those per month and you're good.
Unless you live in a hut in Thailand or something.
Even when you're young and single, it behooves you to think about retirement; it's sooner than you think.
You need a safety net in case something happens, leaving you unable to work for a long time.
If you support a family, you have to think about things like education funds for the kids, and what happens if you suddenly die.
Retirement is provided by the state here so it’s not something I have to plan for.
Again, just to reiterate, the original post was using 2k/mo as the absolute minimum and the point I was trying to make is that a few Ks a month is a reasonable living in way more places that people realize.
But I suspect a non negligible % of people here on HN have a distorted view of the world and how much living cost.
[1]: Typical supermarket job in Austria: https://jobs.aldi-hofer.com/hofer-karriere-at/job/Linz-BACKB... The advertised salary for 21 hours/week of 1330€ is paid 14 times per year and comes to a total income of ~15.7k€ after taxes. If you make 24k€ a year as a self-employed person, you will have to pay ~400€ taxes + 6.5k€ pension + health insurance leaving a total of ~17k€ after taxes.
If you have irregular income, you need to plan for a lot more since you'll always have slow months with no income, or customers that don't pay or pay much later than you expected, and you have a lot of costs that employees don't (eg. you need to pay for your own hardware, office space, accountant, tax advisor, health care, pensions, unemployment insurance, etc).
I'd really love to hear from someone who is making a living from bounties or hackathons, because it just seems very hard or impossible to me.
[1] https://www.openbugbounty.org/
I've seen algora being used a lot by many popular projects and recently heard about polar.sh also supporting bug bounties.
What you are asking for seems very specific, however. It’ll cost thousands in developer hours just to understand the bug and determine if it is really a bug. That assuming you find the right person for this job.
Your best bet is to try and work it out with the chromium team. They are already on Google’s payroll and that’s their job.
Over the years I feel I've got very good at tracking down reasons for crashes in C and C++ programs, and I quite enjoy the experience of tracking down such bugs.
I've often fancied a way to monetise this, maybe even a "no fix, no fee" system (assuming you can give me a way of reasonably predictibly reproducing the crash, even if it needs a while / has a random element).
It would require the company giving out their source code to me, and giving me a way to build it, so I imagine in most situations it wouldn't be worth the effort, unless the bug was absolutely mission-critical.
(I like modeling systems and greenfield development as well, but I feel my time is absolutely best utilized when I can train others or crack hard bugs that are worth paying someone good money to crack.)
Some codebases have every participant screaming they stabbed the goddamn basterd, and the job is more a whodidn't.
HN has a "who is hiring" post on the first weekday of every month. You could try posting there. It shouldn't be difficult to bring someone on through a normal consulting arrangement. Lots of people with good qualifications are looking for work these days.
Doing it through a "bounty" means that you're asking people to work on the issue speculatively, with no guarantee of getting paid (PR is not accepted, someone else gets it first, etc). So FOSS bounties (unless they are quite large) tend to be seen as recognition for basically altruistic work. And who wants to work altruistically on a Google product of all things, especially if Google itself is unresponsive to the bug report?
There was just another post about someone collecting $2 million as a security bug bounty for some cryptocurrency app. The person found a bug that would have allowed takeover of the entire blockchain for that currency. It looks from https://bughunters.google.com/about/rules/android-friends/61... that Google's highest offer for Android exploits is $1 million but there are a lot of smaller ones that are still in six figures.
Of course security issues are "unknown unknowns" and are a different challenge than simply fixing a known bug in a known feature, but just the same, the above shows that getting people's attention with pure financial incentives can take some pretty big amounts. If you're really up for that and are credible, then the approach can work.
Anyway, in the case of a project with a public bug tracker, you can always open an issue and make your offer as part of it. There doesn't have to be a "sponsor" button for that.
Much more likely to be a quick buck for someone already familiar with the code base
this is crypto-adjacent so will probably get thrown ut of HN but still, the platform is pretty incredible for finding and posting bounties both highly technical and non technical. happy to connect you to the founder if interested, maybe she can post on your behalf if you don't wanna sign up for the platform
1. Post here on HN. On the 1st work day of every month, the whoishiring bot posts 3 Ask HN threads and you can use the Ask HN: Freelancer? Seeking freelancer? thread to post an ad stating the specific skills that you are looking for. You are more likely to get inquiries if you include a budget. Here are 2 examples: https://news.ycombinator.com/item?id=38846044 (Jan 2024) and https://news.ycombinator.com/item?id=38514744 (Dec 2023).
2. There is also Algora (https://console.algora.io/) and they support the very use case you are asking about though they have a take rate of about 25% for each bounty[1].
Here's an example of Scott Chacon using Algora to sponsor a bounty in the Zed repo https://github.com/zed-industries/zed/issues/4440. He posted about his experience on Twitter here: https://x.com/chacon/status/1770005036170375594.
3. One limitation of Algora mentioned in #2 is that there is a high representation of application software (web apps, desktop apps etc) compared to system software (web browsers, databases etc) meaning many of the bounties available are in "mainstream" languages like JavaScript/TypeScript, Golang, Rust. There are only a handful of bounties that require C/C++ expertise (which I imagine is what you'll need to work on Chromium) so it might be a struggle to get the right developers on Algora. One solution would be to post the bounty on Algora then do targeted outreach in WebRTC communities so the bounty can reach the right audience. For instance, Sean DuBois, who runs the Pion WebRTC community, has posted in the past on behalf of WebRTC folks looking for a role e.g. https://x.com/_pion/status/1780286789074252176 so you could consider reaching out to him and similar communities to see if they can help with match-making folks that might be interested in your bounty.
1: https://github.com/nuxt/nuxt/issues/15639#issuecomment-19866...
They employee a bunch of people who work on open-source stuff, and you can pay that company to get stuff done on various open-source projects.
The stumbling block is that the cost is almost always much much more than you would be willing to pay, because, surprise surprise, our line of work is very very expensive.
https://github.com/fossjobs/fossjobs/wiki/Resources#freelanc...