It's about sustainability too. #curl is a small project. We cannot spend multiple hours every day arguing with people who want money for having found what is perhaps a bug - but often is not even that.
It drains us. It drowns us.
Onward and upward!
If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.social/users/bagder/statuses/115893088600630096 on your instance and quote it. (Note that quoting is not supported in Mastodon.)
RE: https://mastodon.social/@bagder/115893088600630096
This is should be a wider discussion in the security industry. Sustainability!
It’s important to realize that for (small) open source projects, even reports of real security issues with real impact are significant workloads.
They need to be reviewed, understood, fixes designed.
And those fixes may have further effects like compatibility breakage or redesigns.
If done correctly this is a lot of work, work that those developers usually do unpaid. If they have the time.
Bug bounties may increase the amount of code review and hopefully increase the security of a project due to the amount of eyes on it, but they need to be in sync with the needed resources for the project to review and act on those reports.
What if a bug bounty program paid both the finder and the open source project for fixing an issue?