The concept is flawed. It misunderstands that developers of open source projects already have incentives to work on the project. While security researchers usually have no incentive to look into an open source project.
-
-
Speak for yourself, yo
2 replies 0 retweets 1 like -
No i speak of reality.
1 reply 0 retweets 0 likes -
There are other realities. The retainer model isn’t awful. It’s a support contract, for support. Being on call is work even if you don’t do anything because you have set up the intrusive structure in case work is necessary. Less money, but guaranteed. That trade is common.
1 reply 0 retweets 3 likes -
I don't follow how that answers Stefan's point, are you proposing a retainer for researchers *and* maintainers?
1 reply 0 retweets 0 likes -
I’ve always supported full time research into open source security vulnerabilities. Project Zero is not wrong and I’m glad Google pays for it. Bounties work better than expected but are not going to be less stressful for volunteer labor. The job is support. There’s budget.
2 replies 0 retweets 3 likes -
Security research can be done on spec. But being on call is different. You’re impacted whether or not a bug is found. I’m ok with a retainer. The other guy is getting paid, after all.
2 replies 0 retweets 1 like -
“Which one person should get paid for many people’s valuable contributions” is a bit odd. Fund what society needs. Blood to each finger, not just one or two.
2 replies 0 retweets 3 likes -
I'm not sure I follow the on-call point, but of course maintenance and security work are both valuable. I think Stefan's point was that a project might want to (or need to) incentivize security, but already has maintainers who benefit indirectly or in non-financial ways.
2 replies 0 retweets 1 like -
I like more support. I like more security research. I like more funding. I don’t like implying some group is already paid enough. In security, even when people are paid well (which isn’t always), there’s not enough people.
1 reply 0 retweets 2 likes
Ah-ha, I think I understand what you're saying. It's a nice thought, but I suppose the counterargument is that it's a long way off and *right now* the incentives need to be enough to make the work actually happen 
-
-
People like myself,
@k8em0, and even you speaking up are *how* things change from a long way off to yes, of course, let’s do that too. It’s ok. We can talk about things getting better beyond point solutions like writing a check and expecting problems to fix themselves.1 reply 0 retweets 2 likes -
Sure, fair enough.
1 reply 0 retweets 1 like - 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.