How do you find developers for open source bug bounties?

I always wonder if there is anyone making a living of bounties?

I've once considered it, but the public bounties that I could find were so laughably low that I just saw no way to make it work. <$500 for a bug that would take at least a week to fix? I guess it's a nice tip if you were going to work on it anyway, but it makes no sense for me to schedule time to work on that bounty when pretty much any other job would pay 5 - 10 times as much.

I guess it could work if there were a lot of bounties for a project that you are familiar with, so that you can fix them quickly, but there are so few bounties available that you probably have nothing to do after a week or so.

1. git clone the project you're interested in

2. extract emails of the contributors that are involved in what you need using something like this: git log --pretty=format:"%ad - %ae - %ce"

3. make them an offer

Igalia is a consultancy that specializes in fixing bugs/building features in Browsers. My company uses them regularly

There isn’t a market for that, really. You can open bounties for your project and this might interest some developers to do some work with their goal of being hired, eventually. Or maybe they are looking to build a portfolio but then they’ll be picking the bounties to solve. Or the problems are kinda repetitive, so that they can solve the $200 bounty in a single day and they can make it work at scale.

What you are asking for seems very specific, however. It’ll cost thousands in developer hours just to understand the bug and determine if it is really a bug. That assuming you find the right person for this job.

Your best bet is to try and work it out with the chromium team. They are already on Google’s payroll and that’s their job.

Pay successful bounty submissions on a faster than net 180 time frame. A friend was interested in the rather extensive Expensify bug bounty programme [0], but the red tape involved created far too long a turnaround time between claiming a ticket and receiving compensation.

[0] https://github.com/Expensify/App/issues?q=is%3Aopen+is%3Aiss...

Not the same question, but related.

Over the years I feel I've got very good at tracking down reasons for crashes in C and C++ programs, and I quite enjoy the experience of tracking down such bugs.

I've often fancied a way to monetise this, maybe even a "no fix, no fee" system (assuming you can give me a way of reasonably predictibly reproducing the crash, even if it needs a while / has a random element).

It would require the company giving out their source code to me, and giving me a way to build it, so I imagine in most situations it wouldn't be worth the effort, unless the bug was absolutely mission-critical.

Hey we would be happy to take this on at Hydra (https://hydraoss.io/). We're an agency built for this kind of problem - finding people to fix things in open source. In contrast to a bug bounty program, we manage everything end to end, and the customer just pays us the invoice and doesn't have to deal with anything else. We specialize in Rust but we've had customers from everywhere. Let us know!

https://www.bountycaster.xyz/start/bounty

this is crypto-adjacent so will probably get thrown ut of HN but still, the platform is pretty incredible for finding and posting bounties both highly technical and non technical. happy to connect you to the founder if interested, maybe she can post on your behalf if you don't wanna sign up for the platform

I’d cold mail the people who have a contribution history on the area of the project already.

Much more likely to be a quick buck for someone already familiar with the code base

Very interesting question. Fun fact today I was looking at some OSS projects like OpenAdapt and apparently they use algora.io for theirs...maybe a starting point?

Companies like Collabora (for general linux stuff) and Igalia (for browser type stuff) exist to do things like this.

They employee a bunch of people who work on open-source stuff, and you can pay that company to get stuff done on various open-source projects.

The stumbling block is that the cost is almost always much much more than you would be willing to pay, because, surprise surprise, our line of work is very very expensive.

> There's a WebRTC Chromium bug that is making life difficult for us. I'd like to pay a developer to fix it, but I don't know where/how to find people.

Have you filed a bug in the project's issue tracker? Has the project team not followed up? Is there a link to this issue?

There are lots of open source consultancies (Igalia for example does a lot of work on web browser and lower layers), and some projects have lists of available consultants:

https://github.com/fossjobs/fossjobs/wiki/Resources#freelanc...

Coolify has had at least some success using the bounty platform https://algora.io/

There are a number of ways you could approach this.

1. Post here on HN. On the 1st work day of every month, the whoishiring bot posts 3 Ask HN threads and you can use the Ask HN: Freelancer? Seeking freelancer? thread to post an ad stating the specific skills that you are looking for. You are more likely to get inquiries if you include a budget. Here are 2 examples: https://news.ycombinator.com/item?id=38846044 (Jan 2024) and https://news.ycombinator.com/item?id=38514744 (Dec 2023).

2. There is also Algora (https://console.algora.io/) and they support the very use case you are asking about though they have a take rate of about 25% for each bounty[1].

Here's an example of Scott Chacon using Algora to sponsor a bounty in the Zed repo https://github.com/zed-industries/zed/issues/4440. He posted about his experience on Twitter here: https://x.com/chacon/status/1770005036170375594.

3. One limitation of Algora mentioned in #2 is that there is a high representation of application software (web apps, desktop apps etc) compared to system software (web browsers, databases etc) meaning many of the bounties available are in "mainstream" languages like JavaScript/TypeScript, Golang, Rust. There are only a handful of bounties that require C/C++ expertise (which I imagine is what you'll need to work on Chromium) so it might be a struggle to get the right developers on Algora. One solution would be to post the bounty on Algora then do targeted outreach in WebRTC communities so the bounty can reach the right audience. For instance, Sean DuBois, who runs the Pion WebRTC community, has posted in the past on behalf of WebRTC folks looking for a role e.g. https://x.com/_pion/status/1780286789074252176 so you could consider reaching out to him and similar communities to see if they can help with match-making folks that might be interested in your bounty.

1: https://github.com/nuxt/nuxt/issues/15639#issuecomment-19866...

You're going to hire a Google employee?

Finding qualifying people is hard, but with bug bounties you don't have to worry about it right? You only pay when you approve that PR..

I've seen algora being used a lot by many popular projects and recently heard about polar.sh also supporting bug bounties.

I've heard a lot of people talk about algora.io I haven't used them myself though.

Seem to recall a site for bounties posted at some point on HN. Not sure if this is the one, or if it’s “any good” but [1] exists.

[1] https://www.openbugbounty.org/

> Background: There's a WebRTC Chromium bug that is making life difficult for us. I'd like to pay a developer to fix it, but I don't know where/how to find people.

HN has a "who is hiring" post on the first weekday of every month. You could try posting there. It shouldn't be difficult to bring someone on through a normal consulting arrangement. Lots of people with good qualifications are looking for work these days.

Doing it through a "bounty" means that you're asking people to work on the issue speculatively, with no guarantee of getting paid (PR is not accepted, someone else gets it first, etc). So FOSS bounties (unless they are quite large) tend to be seen as recognition for basically altruistic work. And who wants to work altruistically on a Google product of all things, especially if Google itself is unresponsive to the bug report?

There was just another post about someone collecting $2 million as a security bug bounty for some cryptocurrency app. The person found a bug that would have allowed takeover of the entire blockchain for that currency. It looks from https://bughunters.google.com/about/rules/android-friends/61... that Google's highest offer for Android exploits is $1 million but there are a lot of smaller ones that are still in six figures.

Of course security issues are "unknown unknowns" and are a different challenge than simply fixing a known bug in a known feature, but just the same, the above shows that getting people's attention with pure financial incentives can take some pretty big amounts. If you're really up for that and are credible, then the approach can work.

Anyway, in the case of a project with a public bug tracker, you can always open an issue and make your offer as part of it. There doesn't have to be a "sponsor" button for that.

What is the bug?