[hzia]

Currently most of dev bounty platforms do start with OSS, but we only started doing that last year.

Because of that, 90% of users of our commercial usage today is still close-source, and biggest customer base are from heavily regulated industries like insurance, finance, and even commercial banking, with 2 of them having > $15B each under management.

Now, as you pointed out, we had to implement and background checks, audit logs and have direct full-time relationship with devs through our subsidiaries.

But what made the biggest difference was our security tooling like GitSlice, which along with dev environments cuts down majority of risk exposure.

I would be really curious why you think something like this wont work for private repos?

[bitlad]

There can be two reason why it is working.

- They might be running shadow IT

- Security and compliance is not their priority.

Since you have implemented BG and other controls. My follow up question is are these devs in that case EOR or contractors whose payroll is processed via you. Your org starts to look like deel, remote or midsource.

The whole PR assigning to junior devs feels gimmicky, no?

However, there are two problem statements you are solving. I agree with the first premise, remote junior devs will get better opportunities and confidence when they do this exercise. I think the second part of value generation, I think risk is too high for a closed source org.

[hzia]

We enable EOR + BR + MDM setup on the enterprise plan. Plus, MDM is usually gimmicky given most devs for these clients work in a virtual environment anyways (so the code never leaves their infrastructure).

IMO if we fail as a company, it will be far more likely because of inability to deliver high quality PRs instead of inability to get through compliance.