[Wowfunhappy]

I can understand if it's code the reporting person actually wrote, but if it's just someone else on the project that seems pretty ridiculous.

[layer8]

People could fix each other’s intentionally introduced bugs and make a living that way.

The argument is less convincing when the bugs are a couple years old. There could be an exemption for that, but it’s also more work to verify (Git histories can be fabricated).

[Wowfunhappy]

They could anyway, one person intentionally introduced bugs and the other reports them. The reporter just avoids ever contributing code themself.

But doing any of this repeatedly without getting caught seems hard.

[motorest]

Not ridiculous. It's a clear conflict of interests, and represents a perverse incentive.

[baq]

And it’s easy to fix - sponsor a contributor. It’d be cheaper than the many meetings that were needed to make the removal decision.

[motorest]

> And it’s easy to fix - sponsor a contributor. It’d be cheaper than the many meetings that were needed to make the removal decision.

I don't think that's how it works. I mean, how many problems did you ever fixed by dictating how others should spend their own money?

Also, apparently some of these issues exist for over a decade. That alone tells you how serious the problem is, and how urgent it needs fixing.

[hmcq6]

> Also, apparently some of these issues exist for over a decade. That alone tells you how serious the problem is

The "serious problem" is that they've known about bugs for 20 years and not committed resources to fix it. The problem is the money.

[motorest]

> The "serious problem" is that they've known about bugs for 20 years and not committed resources to fix it. The problem is the money.

Who is "they"? Project maintainers? Project users? You?

> The problem is the money.

So this is a project that didn't require any funding for decades in order to exist. Explain exactly why you believe money is an issue.

[hmcq6]

I misunderstood and thought this was a google sponsored project and not an open bug bounty.

Even still, you're responding in a thread about someone who is trying to do legitimate work on this project and google is not honoring the bug bounty system.

A problem google could fix if they just assigned someone to manually review the case, it would take like 15 minutes.

[baq]

I'm just saying they've got a bug bounty program but not a bug prevention bounty program, or even a fix a known bug bounty program. The security team has a budget for the realized risks but predictably not for managing unrealized risk in the open source community which they depend on.

[x0x0]

> a bug prevention bounty program

Particularly for a dep they've chosen to ship in their browser.