I disagree that it's a good thing on its own.
Where is the money for more paid maintainers?
Oops.
It's not there.
A #bugbounty on open source projects that don't get any funding for additional maintainers is likely to decimate the volunteer maintainer labor pipeline of the futurehttps://twitter.com/mikko/status/1078644544789532672 …
I don't follow how that answers Stefan's point, are you proposing a retainer for researchers *and* maintainers?
-
-
I’ve always supported full time research into open source security vulnerabilities. Project Zero is not wrong and I’m glad Google pays for it. Bounties work better than expected but are not going to be less stressful for volunteer labor. The job is support. There’s budget.
-
Security research can be done on spec. But being on call is different. You’re impacted whether or not a bug is found. I’m ok with a retainer. The other guy is getting paid, after all.
- 11 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.