Ask HN: How do you find developers for open source bug bounties?

64 points by freedomben ↗ HN
Background: There's a WebRTC Chromium bug that is making life difficult for us. I'd like to pay a developer to fix it, but I don't know where/how to find people.

But this leads to a higher level question. When you want to sponsor open source bug fixes and/or feature and there isn't a clear "sponsor" link or button, how do you find qualified people? For example, is there a site/app you typically search?

69 comments

[ 3.9 ms ] story [ 124 ms ] thread
Very interesting question. Fun fact today I was looking at some OSS projects like OpenAdapt and apparently they use algora.io for theirs...maybe a starting point?
1. git clone the project you're interested in

2. extract emails of the contributors that are involved in what you need using something like this: git log --pretty=format:"%ad - %ae - %ce"

3. make them an offer

4. keep upping the offer until they say yes

note: I mean to imply, the person that asked the question likely has a budget far lower than the person qualified to do the work is willing to accept.

Bingo.
Open-source is often free, and it seems like a good system that projects can be initialized easily with a low cost, but to use it in a business, businesses should pay the costs of the boring production pipeline, ie the security bounties.
Igalia is a consultancy that specializes in fixing bugs/building features in Browsers. My company uses them regularly
This is the real answer.
> There's a WebRTC Chromium bug that is making life difficult for us. I'd like to pay a developer to fix it, but I don't know where/how to find people.

Have you filed a bug in the project's issue tracker? Has the project team not followed up? Is there a link to this issue?

Filing a bug report properly is work and it is easier to pay.
Seems to me, describing the problem for the person you're going to pay is the exact same amount of work as filing a bug. They can't read your mind so you'll have to detail what you want fixed. Show how to repo the problem so they can prove they fixed it. Sounds like a bug report to me
Depends. No work is involved if problem is easily reproducible. Just need to describe the bug & environment to the "bounty hunter" and they will take care of the rest. Anything more than that would necessitate filing the actual issue yourself.
I have stopped writing bug reports altogether.

I believe to write good bug reports, and put serious effort in it to provide test cases, describe the environment the bug thrives in, make assumptions on what may be wrong, etc. A good bug report takes half an hour of my time, easily. Only to then be ignored for 15+ years and eventually silently closed because "we don't use that architecture anymore". Looking at you, KDE, and Atlassian (= the problem exists regardless on the monetarization format).

It's just no longer worth my time.

(comment deleted)
For a lot of fangs, unless its a bad enough publicly facing bug that it gets notable coverage, it's easier to get hired to the team to fix it yourself than it is to successfully complete all of the following:

  a) get a human to look at your externally submitted bug report unless you just get lucky with one of their team seeing your reddit post
  b) get that bug accepted by the team as a bug
  c) get the bug prioritized to the point that it isn't "bankrupted" to make the team's stats look better at the end of the quarter
  d) actually fixed
Pay successful bounty submissions on a faster than net 180 time frame. A friend was interested in the rather extensive Expensify bug bounty programme [0], but the red tape involved created far too long a turnaround time between claiming a ticket and receiving compensation.

[0] https://github.com/Expensify/App/issues?q=is%3Aopen+is%3Aiss...

Do they get to claim it and then work on it, or do they need to have a solution already to claim it? net 180 wouldn't be bad if you could reserve several of them to work on at a time. It'd suck to work 'for free' that first few months, but then you'd have consistent income coming in regularly after that.
I think I would prefer whomever fixed the bug first, I know that’s not ideal for people who put the time and effort in.
I guess it depends if you're the one doing the paying or the one receiving the pay .
You're going to hire a Google employee?
I've heard a lot of people talk about algora.io I haven't used them myself though.
I always wonder if there is anyone making a living of bounties?

I've once considered it, but the public bounties that I could find were so laughably low that I just saw no way to make it work. <$500 for a bug that would take at least a week to fix? I guess it's a nice tip if you were going to work on it anyway, but it makes no sense for me to schedule time to work on that bounty when pretty much any other job would pay 5 - 10 times as much.

I guess it could work if there were a lot of bounties for a project that you are familiar with, so that you can fix them quickly, but there are so few bounties available that you probably have nothing to do after a week or so.

I know many people making a very good living from bounties (>$500k/year). If you're good, you'll make bank. If not - don't quit your day job.
How is it possible to make that much though? Is it like a private bounty board or something?
Big money like that is only made one way, security vulns in "software or hardware of interest", sold via brokers to 3 letter agencies (or much less scrupulous actors from time to time).
This sounds like they are a known figure in the project and are offered consultancy jobs. When I had a company that is what I did when I needed something fixed. It was not cheap either. The point being yes it is possible but it is not a bounty board like in the city town hall.

Anyway I find it a bit weird the topic is asked at all. Why didn’t the OP just cold contacted committers?

Can you elaborate? Who are these people? What kind of bounties do these people go after? Do they work on lots of small bounties or focus on a few big bounties? Do you personally know these people or are you just talking about the security researchers who discovered high impact issues in iOS?
I know some of them in person as I'm involved in the bug bounty scene myself. What they work on varies depending on skill set and interest. I do not personally know any security researchers with high impact vulnerabilites in iOS but those people get paid millions and you'll never hear about them.

What I do know is that they tend to sell their exploits through exploit brokers like Zerodium.

Are you talking about fixing known bugs, or a "security bug bounty" where they are paid to report unknown security issues?
Security related vulnerabilities.
That’s very different than what the OP question is about. Both are called “bounties” though.

One is getting paid to write code that fixes bugs or adds functionality to open source projects. (Pays very little and we suspect nobody makes a living from)

The other is doing security research and reporting on vulnerabilities. Here typically no fix is provided. You are paid for the discovery. Plenty of good researchers make a living on these security bounties

Depends on what you call "a living".

You probably won't get rich from doing $500 bug bounties.

But there are hackathons with bounties in the $1000-$10000 range.

Do 2-4 of those per month and you're good.

You're not good if they are very close to the bottom of your range.

Unless you live in a hut in Thailand or something.

2 or 4 1k a month puts you either above or way above average salary here in Italy.
You have to compare it to being a self employed business owner instead of to a salary from a job. Half of it is going to go to taxes.
Self employed since 2011. In Italy. I know how this world works. If you get 2 to 4K a month you can easily live an absolutely normal life or even above average.
I suppose it depends on how you are defining normal. Does that mean owning a home and vehicle and supporting a wife and kids, or does that mean sharing an apartment with multiple people and using public transport and not having any savings? I get that the cost of living is lower in Italy, but different people have different ideas about what constitutes comfortable. Just from googling, the 2k seems like it'd be a bit of a struggle but the 4k seems like it'd be pretty nice.
2k/mo pre taxes as a self employed would allow you to live a normal life meaning you’d not struggle to get through the month. 4k/mo would allow you to easily buy a house and live an above average life. This is obviously true for most of the country and it’s different if you want to live in one of the big cities but that goes without saying.
If you happen to be supporting a four-member family on that 2K, it's barely above the poverty line.

Even when you're young and single, it behooves you to think about retirement; it's sooner than you think.

You need a safety net in case something happens, leaving you unable to work for a long time.

If you support a family, you have to think about things like education funds for the kids, and what happens if you suddenly die.

Agree on the family but if 2 people are working (which is normal) with two 2k salaries you’re doing just fine.

Retirement is provided by the state here so it’s not something I have to plan for.

Again, just to reiterate, the original post was using 2k/mo as the absolute minimum and the point I was trying to make is that a few Ks a month is a reasonable living in way more places that people realize.

But I suspect a non negligible % of people here on HN have a distorted view of the world and how much living cost.

In Austria, 2k/mo before taxes is roughly what you earn as a part-time employee filling shelves at the supermarket [1].

[1]: Typical supermarket job in Austria: https://jobs.aldi-hofer.com/hofer-karriere-at/job/Linz-BACKB... The advertised salary for 21 hours/week of 1330€ is paid 14 times per year and comes to a total income of ~15.7k€ after taxes. If you make 24k€ a year as a self-employed person, you will have to pay ~400€ taxes + 6.5k€ pension + health insurance leaving a total of ~17k€ after taxes.

$4000/mo pre-tax is an above average salary for the UK. You'd live just fine in most places in the UK (london aside).
Can't really compare a salary to bounties. With a salary, you can rely on the income.

If you have irregular income, you need to plan for a lot more since you'll always have slow months with no income, or customers that don't pay or pay much later than you expected, and you have a lot of costs that employees don't (eg. you need to pay for your own hardware, office space, accountant, tax advisor, health care, pensions, unemployment insurance, etc).

Are you including two kids and a retirement plan in the picture?
That sounds somewhat feasible, but are there enough of those hackathons around? Can you take part in 20-50 hackathons a year? Most hackathons also require some kind of preparation, I doubt you can just show up, work for 15 hours, and collect $1000?

I'd really love to hear from someone who is making a living from bounties or hackathons, because it just seems very hard or impossible to me.

I helped out running a bug bounty program for a company whose large offering was a FOSS product a couple of years ago. Most of the people participating were either in very LCOL countries like Thailand or Montenegro, or were bored C level/founder people who would use the tiny amount of money as an incentive to keep their coding skills sharp since their day to day no longer involved coding.
I spent a decade or so living life off of bug bounties. Smart Contracts are the only way to go these days.
Finding qualifying people is hard, but with bug bounties you don't have to worry about it right? You only pay when you approve that PR..

I've seen algora being used a lot by many popular projects and recently heard about polar.sh also supporting bug bounties.

There isn’t a market for that, really. You can open bounties for your project and this might interest some developers to do some work with their goal of being hired, eventually. Or maybe they are looking to build a portfolio but then they’ll be picking the bounties to solve. Or the problems are kinda repetitive, so that they can solve the $200 bounty in a single day and they can make it work at scale.

What you are asking for seems very specific, however. It’ll cost thousands in developer hours just to understand the bug and determine if it is really a bug. That assuming you find the right person for this job.

Your best bet is to try and work it out with the chromium team. They are already on Google’s payroll and that’s their job.

Not the same question, but related.

Over the years I feel I've got very good at tracking down reasons for crashes in C and C++ programs, and I quite enjoy the experience of tracking down such bugs.

I've often fancied a way to monetise this, maybe even a "no fix, no fee" system (assuming you can give me a way of reasonably predictibly reproducing the crash, even if it needs a while / has a random element).

It would require the company giving out their source code to me, and giving me a way to build it, so I imagine in most situations it wouldn't be worth the effort, unless the bug was absolutely mission-critical.

We’ve found him, we’ve found the one guy that likes debugging. Honestly though, good for you. There need to be more people like this in the world.
Ey, next to teaching it is the favorite part of my profession!

(I like modeling systems and greenfield development as well, but I feel my time is absolutely best utilized when I can train others or crack hard bugs that are worth paying someone good money to crack.)

Please add me to your newsletter.
I can't find your email address, send me a mail if you want.
I assure you there's at least two of us :-)
I like it too, sometimes. A good bug can be like a whodunnit, with multiple suspects, all doing something nefarious, scheming their little schemes and thinking they're the only ones. Now find the miscreants causing the death of the process.

Some codebases have every participant screaming they stabbed the goddamn basterd, and the job is more a whodidn't.

I love it too! As another commenter says, it's like a murder mistery, specially when it is not your code. The only frustrating bit (at least for me) is being just told "there's a crash around here", but once you have a way to reliably reproduce it I enjoy it quite a bit.
i like debugging too. the problem is, when it's unfamiliar tech then it can take some time to get familiar with it. but i found that when i was unable to find a solution, i was to embarrassed to ask to get paid, so i realized that "no fix, no fee" is ok for me. i just have to estimate the risk involved. how much time can i afford to work on this problem if i don't get paid. in part that is influenced by how much i am interested in learning that tech.
> Background: There's a WebRTC Chromium bug that is making life difficult for us. I'd like to pay a developer to fix it, but I don't know where/how to find people.

HN has a "who is hiring" post on the first weekday of every month. You could try posting there. It shouldn't be difficult to bring someone on through a normal consulting arrangement. Lots of people with good qualifications are looking for work these days.

Doing it through a "bounty" means that you're asking people to work on the issue speculatively, with no guarantee of getting paid (PR is not accepted, someone else gets it first, etc). So FOSS bounties (unless they are quite large) tend to be seen as recognition for basically altruistic work. And who wants to work altruistically on a Google product of all things, especially if Google itself is unresponsive to the bug report?

There was just another post about someone collecting $2 million as a security bug bounty for some cryptocurrency app. The person found a bug that would have allowed takeover of the entire blockchain for that currency. It looks from https://bughunters.google.com/about/rules/android-friends/61... that Google's highest offer for Android exploits is $1 million but there are a lot of smaller ones that are still in six figures.

Of course security issues are "unknown unknowns" and are a different challenge than simply fixing a known bug in a known feature, but just the same, the above shows that getting people's attention with pure financial incentives can take some pretty big amounts. If you're really up for that and are credible, then the approach can work.

Anyway, in the case of a project with a public bug tracker, you can always open an issue and make your offer as part of it. There doesn't have to be a "sponsor" button for that.

I’d cold mail the people who have a contribution history on the area of the project already.

Much more likely to be a quick buck for someone already familiar with the code base

https://www.bountycaster.xyz/start/bounty

this is crypto-adjacent so will probably get thrown ut of HN but still, the platform is pretty incredible for finding and posting bounties both highly technical and non technical. happy to connect you to the founder if interested, maybe she can post on your behalf if you don't wanna sign up for the platform

Great app! Got a logo designed without leaving farcaster
There are a number of ways you could approach this.

1. Post here on HN. On the 1st work day of every month, the whoishiring bot posts 3 Ask HN threads and you can use the Ask HN: Freelancer? Seeking freelancer? thread to post an ad stating the specific skills that you are looking for. You are more likely to get inquiries if you include a budget. Here are 2 examples: https://news.ycombinator.com/item?id=38846044 (Jan 2024) and https://news.ycombinator.com/item?id=38514744 (Dec 2023).

2. There is also Algora (https://console.algora.io/) and they support the very use case you are asking about though they have a take rate of about 25% for each bounty[1].

Here's an example of Scott Chacon using Algora to sponsor a bounty in the Zed repo https://github.com/zed-industries/zed/issues/4440. He posted about his experience on Twitter here: https://x.com/chacon/status/1770005036170375594.

3. One limitation of Algora mentioned in #2 is that there is a high representation of application software (web apps, desktop apps etc) compared to system software (web browsers, databases etc) meaning many of the bounties available are in "mainstream" languages like JavaScript/TypeScript, Golang, Rust. There are only a handful of bounties that require C/C++ expertise (which I imagine is what you'll need to work on Chromium) so it might be a struggle to get the right developers on Algora. One solution would be to post the bounty on Algora then do targeted outreach in WebRTC communities so the bounty can reach the right audience. For instance, Sean DuBois, who runs the Pion WebRTC community, has posted in the past on behalf of WebRTC folks looking for a role e.g. https://x.com/_pion/status/1780286789074252176 so you could consider reaching out to him and similar communities to see if they can help with match-making folks that might be interested in your bounty.

1: https://github.com/nuxt/nuxt/issues/15639#issuecomment-19866...

Hey we would be happy to take this on at Hydra (https://hydraoss.io/). We're an agency built for this kind of problem - finding people to fix things in open source. In contrast to a bug bounty program, we manage everything end to end, and the customer just pays us the invoice and doesn't have to deal with anything else. We specialize in Rust but we've had customers from everywhere. Let us know!
Companies like Collabora (for general linux stuff) and Igalia (for browser type stuff) exist to do things like this.

They employee a bunch of people who work on open-source stuff, and you can pay that company to get stuff done on various open-source projects.

The stumbling block is that the cost is almost always much much more than you would be willing to pay, because, surprise surprise, our line of work is very very expensive.