Hacker News new | ask | show | jobs
by Cyykratahk 301 days ago
I'm guessing Google is avoiding the scenario where a contributor "accidentally" commits code with a bug, then later reports the bug they "found".
2 comments
netsharc 301 days ago
But, what about my minivan? https://devhumor.com/content/uploads/images/October2015/paid...
link
Wowfunhappy 301 days ago
I can understand if it's code the reporting person actually wrote, but if it's just someone else on the project that seems pretty ridiculous.
link
layer8 301 days ago
People could fix each other’s intentionally introduced bugs and make a living that way.

The argument is less convincing when the bugs are a couple years old. There could be an exemption for that, but it’s also more work to verify (Git histories can be fabricated).

link
Wowfunhappy 301 days ago
They could anyway, one person intentionally introduced bugs and the other reports them. The reporter just avoids ever contributing code themself.

But doing any of this repeatedly without getting caught seems hard.

link
motorest 301 days ago
Not ridiculous. It's a clear conflict of interests, and represents a perverse incentive.
link
baq 301 days ago
And it’s easy to fix - sponsor a contributor. It’d be cheaper than the many meetings that were needed to make the removal decision.
link
motorest 301 days ago
> And it’s easy to fix - sponsor a contributor. It’d be cheaper than the many meetings that were needed to make the removal decision.

I don't think that's how it works. I mean, how many problems did you ever fixed by dictating how others should spend their own money?

Also, apparently some of these issues exist for over a decade. That alone tells you how serious the problem is, and how urgent it needs fixing.

link
hmcq6 301 days ago
> Also, apparently some of these issues exist for over a decade. That alone tells you how serious the problem is

The "serious problem" is that they've known about bugs for 20 years and not committed resources to fix it. The problem is the money.

link
motorest 301 days ago
> The "serious problem" is that they've known about bugs for 20 years and not committed resources to fix it. The problem is the money.

Who is "they"? Project maintainers? Project users? You?

> The problem is the money.

So this is a project that didn't require any funding for decades in order to exist. Explain exactly why you believe money is an issue.

link
baq 301 days ago
I'm just saying they've got a bug bounty program but not a bug prevention bounty program, or even a fix a known bug bounty program. The security team has a budget for the realized risks but predictably not for managing unrealized risk in the open source community which they depend on.
link
x0x0 301 days ago
> a bug prevention bounty program

Particularly for a dep they've chosen to ship in their browser.

link