AKA: Bug Bounties, Bounty driven Bugfixing
Payment offers made by companies or other entities to fix bugs critical to their business model or security concerns. Often these are one-time payment offers for one bug, but projects often have more of them and if they pay for one bugfix they might pay for other bugfixes as well.
Requires:
- Setup of a payment mechanism (hosted or self-build)
- Collection and description of one or more bugs with time
Variants & Options:
- Single Bugfix: Removal of one bug
- Bulk Bugfixes: Removal of multiple bugs (e.g., Fix 5 for the price of 4)
- Auctioned Bugfixes: Highest bidder gets to choose the bug to fix
- The Bounties Network
- IssueHunt (BugBounty)
- BountySource
- GitCoin Bug Bounties
- HackerOne: List of Bounty Programs
| Characteristics | Value | Note |
|---|---|---|
| Effort to set-up | Hours | Some descriptions and bank info is sufficient |
| Effort to maintain | High | New descriptions and pricings for every new bug & development time |
| Cost to set-up | None | Bug Bounty software is often free or only take a small cut |
| Cost to maintain | None | Bug Bounty software is often free or only take a small cut |
| One-time Income | Medium | Often based on hourly wage |
| Recurring Income | Low | Bugs never cease but payers might |
| Income Predictability | Low | Too many bugs --> no users; Too few bugs --> no income |
| Full income Threshold | 100+ | |
| Recipient | I | |
| Additional Work | Medium | Extra work to fix (hard) bugs |
| Visibility | Medium | Every new bug issue will be a reminder for the bug bounties |
| Necessity to pay | Medium | Might be necessary for critical bugs |
| Entry Threshold | Low | Credit card is sufficient |
| Countervalue | Work | |
| Scalability | Low | Scales to the time available to fix bugs |
| Effort for marketing | Medium | |
| Competitors | O | Might be constrained to maintainers (i.e., rejecting bug fixes from external contributors / developers) |
| Software types | All |
NOTE: If external contributors fix bugs and maintainers accept the changes the bounties are paid to the contributors and not the the maintainers of the project. This might be hindering the monetization effort of the OSS project by the maintainers.