[barrkel]

Is anyone else concerned at the perverse incentives created by bug bounties on open source software?

Monetizing bugs may end up encouraging the creation of insidious, underhanded bugs explicitly so that bounties can later be claimed by other parties supposedly at arms length.

[dvt]

This seems a bit paranoid. It's not like OSS doesn't have code review processes.

[barrkel]

It pays to be paranoid. I believe I'd be able to add exploitable bugs that would not be detected in most code reviews; there's a large library of techniques available from underhanded C competitions and similar.

[a3_nm]

If malicious people can add exploitable bugs and claim a bug bounty later, then they can also add exploitable bugs to actually exploit them. So I'd say that bug bounties also work here: they create an incentive to review the code of open-source projects more closely.

[dvt]

After a look at some of the bugs linked at http://www.underhanded-c.org/_page_id_2.html, they are very niche and difficult to exploit in any meaningful way. Not only that, but even a mediocre test suite would find something fishy with most.

[RobertoG]

>"It pays to be paranoid."

Then, it's not paranoia.

[timthelion]

For those wondering, here is a link to underhanded c http://www.underhanded-c.org/_page_id_2.html

[madez]

I'm not concerned. First, with git we can look who introduced the bugs. Second, the worst-case you fear would still imply development of the project, which is good. After all, you can't maliciously introduce a bug without changing anything.

[wdr1]

http://dilbert.com/strip/1995-11-13