> Bountysource is the funding platform for open-source software. Users can improve the open-source projects they love by creating/collecting bounties and pledging to fundraisers.
Usually people use that term for security concerns these days, which definitely exist for open source. I've seen stuff over the years where people have attempted to do bounties for implementing a feature/bugfix/etc, but its never really taken off.
Yes. There's the Internet Bug Bounty[0], which is administered by HackerOne and funded by a number of companies.
It's paid out three quarters of a million dollars since its foundation in 2013. It was relaunched last month. The pace is picking up, too: $100k has been paid out in the last 90 days[1].
Disclosure: I know of it because I work for Shopify, which is one of the donors.
Upon the suggestions from other commenters, I've had recent interaction with huntr.dev. I maintain an open source project and had a few members on there report vulnerabilities over the last month or two. They seem to pay out both to the finder of the vulnerability and the maintainer (me). The process seemed a janky at first but they've improved the platform since my first interaction and they seem to be encouraging a good thing. Had a few false reports but that has been outweighed by well-defined genuine reports.
It seems like it would create some bad incentives for open source maintainers/submitters - someone submits a PR to fix a bug, gets rejected, maintainer commits a similar bug fix, claims reward. Dunno. Interesting idea, execution might have bad knock on effects
> It seems like it would create some bad incentives for open source maintainers/submitters - someone submits a PR to fix a bug, gets rejected, maintainer commits a similar bug fix, claims reward.
