alt Hacker NewsMoney for a report and a patch, with convincing test cases, might be worthwhile. Even if a machine generates them.
Replies
Not necessarily. Reviewing an issue report is already enough time. Reviewing a patch is even more developer time.
The problem they had before was a financial incentive to sending reports, leading to crap reports that wasted time to review. Incentivizing sending reports + patches has the same failure mode, but they now have to waste even more time to review the larger quantity of input.
Anyway, for most cases I'd bet that Daniel can produce and get reviewed a correct patch for a given security bug quicker than the curl team can review a third-party patch for the same, especially if it's "correct, but ai-written".
I've read this idea that we could make people pay for security reports a few times here on HN (and you get back the money if the report is deemed good). That feels very wrong.
If I find a security issue, I'm willing to responsibly disclose it, but if you make me pay, I don't think I will bother.
Punishing bad behavior to disincentivize it seems more sensible.
> Even if a machine generates them.
That sounds wonderfully meritocratic, but in the real world, a machine generating it is a very strong signal that it's bullshit, and the people are flooding maintainers using the machines. Maintainers don't have infinite time.
What was a kind design to thank good contributors is now a lottery.
Throw enough AI crap at enough projects and you may get a payout.
The incentives fail in the face of no-effort flooding. They accidentally encourage it.
To be clear, no, it is not, because of the opportunity cost of all the other slop. That's what this is all about.
> Even if a machine generates them.
Why? If it is a purely machine generated report there is no need to have dozens of third parties that throw them around blindly. A project could run it internally without having to deal with the kind of complications third parties introduce, like duplicates, copy paste errors or nonsensical assertions that they deserve money for unrelated bugfixes.
A purely machine generated report without any meaningfull contribution by the submitter seems to be the first thing you would want to exclude from a bug bounty program.