Bounties for security holes make sense because you don’t need to submit the patch, just find the hole.
And bounties for open source (like in this case) also make sense because you have everything you need to submit a patch.
But for everything else (like big tech, startups, and so on) bounties can’t fix bugs because even if I find a bug, how am I going to patch it without access to the source code? How can someone submit a patch to Netflix or whatever?
IME your average SV startup has a long list of bugs they are aware of, but just haven’t gotten around to fixing because other priorities are in the way. But people can’t help patch unless you have an open development process.
You can fix bugs without source lots of ways, although many are arcane and finicky. An example of a healthy and productive ecosystem for this is in game modding. Sometimes this relies on vendor supplied tools (like a modkit, e.g. Elder Scrolls games), messing with bytecode directly (Minecraft until recently), or some cooperation from the vendor (Dwarf Fortress).
In all of those cases users/players were able to fix bugs and add desired functionality (mostly) independently, on a closed-source program.
For industrial software you don't see as much, even though arguably cracks (to skip license check) qualify here.
That seems different to me: a user can download and run a mod, but the fix isn’t then a part of the game itself and available by default to all users. Unless of course the real developers back port it to the game, but that’s just the kind of development effort the parent’s comment seems to be seeking to avoid.
The parent seems to be talking about the companies using bug bounties as a way to fix bugs in their software and the fixes becoming part of that software (not a separate mod run on top).
> even if I find a bug, how am I going to patch it without access to the source code?
That's how. Bethesda put a mod manager in Skyrim and works with some of the developers, they distribute fixes as game patches, you can distribute yours as "mods" or let them repackage it into an official patch or the next update.
I guess maybe it could apply to some niche cases of locally run software like photoshop, though I’d be be shocked if the marginal gains of a bug bounty program could justify the massive cost of implementing a mod system like this for photoshop.
But the fact is that most software in the world doesn’t work like Skyrim. Large parts of most software runs on servers or on locked down mobile operating systems where modding systems are not possible.
What you are proposing kind of already exists for web frontends in the form of browser extensions, but having worked on several apps for which an ecosystem of browser extensions sprung up, my experience is that there is no simple way to port these features to the main product. For security and QA, every line of code needs to be vetted anyway, and then “translated” into a form appropriate for the existing code base. At most, they just validate demand for a feature or bug fix.
Bounties for security holes make sense because you don’t need to submit the patch, just find the hole.
And bounties for open source (like in this case) also make sense because you have everything you need to submit a patch.
But for everything else (like big tech, startups, and so on) bounties can’t fix bugs because even if I find a bug, how am I going to patch it without access to the source code? How can someone submit a patch to Netflix or whatever?
IME your average SV startup has a long list of bugs they are aware of, but just haven’t gotten around to fixing because other priorities are in the way. But people can’t help patch unless you have an open development process.
Am I missing something?