More Than 10% of Mozilla Bug Finders Refuse Cash

angry tapir writes "The open-source Mozilla project has been offering cash bounties for security bugs for six years now, but often bug finders simply turn down the cash. Between 10 percent and 15 percent of the serious security bugs reported since Mozilla launched its bug bounty program have been provided free of charge, according to Mozilla."

More evidence...

[fuzzyfuzzyfungus]

More evidence, if any were needed, that "Open Source" software is a sinister communist plot that defies all sound economic principles.

Sincerely,
S. Ballmer.

Re:More evidence...

[jornak]

Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.

Re:More evidence...

[VJ42]

Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.

That's effectively what they're doing - the 'charity' of their choice being the Mozilla foundation.

Re:More evidence...

[somegeekynick]

Charity? Do you mean like the Mozilla Foundation?

Re:More evidence...

[jornak]

I was thinking of something more along the lines of OLPC or any of those charitable organizations that help spread technology to people/places that regularly wouldn't have access to it.

Re:More evidence...

Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of their choice. Just sayin'.

Maybe you should read the article?

"A lot of people would say, 'Don't worry about it. Donate it to the EFF [Electronic Frontier Foundation] or just send me a T-shirt,'"

Re:More evidence...

[Seumas]

Nothing is stopping the bug-hunters from accepting the cash and donating it.

Re:More evidence...

[AHuxley]

Surgical kits, adult literacy, tropical medicine, animals, eye clinics, food banks, a laptop as a gift, lots of Ubuntu ect.

Re:More evidence...

[maxume]

It's a non-profit organization. That doesn't make it a charity, it just means it has a special tax status.

The fact that they accept donation gives some credence to the idea of calling them a charity; that they make far more money from their business activities at least makes it questionable.

Re:More evidence...

You mean like the Mozilla foundation for providing the free web browser that many of those efforts use?

Re:More evidence...

[clone53421]

It is creating something valuable (Firefox, etc.) and giving it away free of charge. Charities give away things free of charge. They’re not terribly different... the only differences are what they’re giving away and who they’re giving it to and under what conditions or circumstances.

Re:More evidence...

[kg8484]

Ah, so what you really meant is:

Y'know if they wanted to refuse the cash... instead of letting Mozilla keep it, have them donate it to the charity of my choice. Just sayin'.

Re:More evidence...

[somegeekynick]

I realise that we might only end up debating semantics and matters concerning law (*shudder*) but, for what it's worth,

The Mozilla Foundation, which is registered as a charity in the United States...

Source And, California registration by the Mozilla Foundation as a charitable trust.

Re:More evidence...

Sure there is. Many of them probably are doing their work for a company. Major companies generally have positions on this that would preclude the "finder" from accepting (even for that moment required to donate it) any kind of a bonus or fee for their work since they were already paid for their work by their employer. I am pretty sure that explains this 10 - 15 percent right there. Not altruism. They are just constrained not to accept. Others are probably also constrained but choose to ignore their company policy.

Re:More evidence...

[clarkkent09]

a) 90% accept cash for their work. Evil bastards!

b) Talking about socialism, good thing we don't have unions in software industry or they wouldn't look too kindly on all these people working for free.

Re:More evidence...

[Peter+Bortas]

That would then make Opera Software (to take an example in the same domain) a charity using the same test.

Re:More evidence...

[clone53421]

I’d omitted/forgotten that a charity also needs to be a non-profit organisation (as maxume had already noted that Mozilla Foundation is a NPO) – perhaps I should have included it.

Re:More evidence...

[jellomizer]

What I really want to know is how many of the people who Got Paid for fixing a serious bug fix were the ones who made it in the first place, or were they the ones that didn't take the money for the fix (as a matter of ethical pride)

10% really isn't that much.

Re:More evidence...

[ffnogoodnik]

People did not get paid for fixing the bug, they got paid for finding it.

Re:More evidence...

[Snaller]

Bullshit. The Mozilla foundation is not a charity nor is giving them money charity.

Re:More evidence...

Um, I'm sure you're wrong. I doubt many of these people overly care about Mozilla Foundation in particular; Chrome bug reporters similarly refuse money. They just refuse to take money for their services. Maybe you've heard of scientists doing the same? It's a shared (minority) opinion in the security industry.

In fact, I think this attitude -- not philanthropy or altruism, but more like mutual aid; an unselfish action without concern for another -- is the natural human response, and it isn't until one becomes cynical and accustomed to our trade-oriented capitalist world that one expects payment in return for services. To this group, accepting recompense is like a besmirch on one's honor; it makes them feel guilty and sullied to even think about it.

Anyway, it's amusing to see so many Slashdotters aghast at the notion of doing hard and laborious work for free.

Re:More evidence...

[radish]

Well of course it depends on your definition of "charity", but under general US/IRS usage, yes they are.

Re:More evidence...

[mobby_6kl]

IANAL, although I did have an intro course on US business law. The Mozilla foundation appears to be a non-profit, and not a charity, as you claim. There's a difference between the two.

Also, Mozilla Corporation is a for-profit subsidiary of the former, though I'm not sure if they're actually the ones giving out these bounties.

Re:More evidence...

[mobby_6kl]

Well fuck me, I might be wrong here. Somebody way down the thread posted a link to California registration of "charitable funds". I'm too hungry to decipher the 30 pages right now, but it very well might be a charity, at least legally by California's registration.

Re:More evidence...

If you want the money to go to a charity, YOU should accept the payment and handle the transaction yourself. Why do you want to burden the Mozilla foundation (in time and money) with doing your good deed?

Just sayin'.

Re:More evidence...

[dubdays]

Just an FYI...From the Mozilla website: "The Mozilla Foundation is a California non-profit corporation exempt from federal income taxation under IRC 501(c)3. Donations are tax deductible for U.S. citizens. For donors outside of the United States, please consult with your tax advisor about whether your donation will be tax deductible."

But 90% accept the cash...

Another nail in the coffin of socialism. Cash is the ultimate motivator.

Re:But 90% accept the cash...

[bsDaemon]

That's not necessarily true. Is 10% higher or lower than in previous years? Is the data such that a trend can be measured? besides, I wouldn't say that cash is necessarily the a direct motivator. Identifying that a bug exists is often times easier than being able to fix it, and tipping off the people who are in a position to fix a problem in a piece of software you rely on is also a valid motivation.

Alternatively, getting your name out there as someone who is smart and gets things done can and often does lead to other opportunities.

Re:But 90% accept the cash...

[Bloopie]

So volunteers working for free is now called socialism?

Re:But 90% accept the cash...

[wisnoskij]

Accepting offered cash does not mean that was the motivation of finding the bug in the first place.

Re:But 90% accept the cash...

[FudRucker]

naw, i am semi-retired, i own a 10 wheeler dump truck that can haul 10 square yards of sand, gravel or dirt/top-soil, i work it when i want to so i am not desperate for money, if i found a bug or vulnerability in any open source software that is free i will submit a bug report through the usual channels for free, since they are good enough to give me free software i will return the favor to help them improve the product for free, (sounds fair to me and most everyone else)

Re:But 90% accept the cash...

[AHuxley]

Philanthropy has family or band name value, the tax bonus and endless feel good publicity. Anonymous volunteers working for free are unfair competition in many areas.

Re:But 90% accept the cash...

[spydabyte]

By your comment I cannot tell if you are a developer or someone not related to computers at all. Bug finding is not an easy task by any measure. Talk to your local Test Engineer.

Re:But 90% accept the cash...

[El_Muerte_TDS]

There are no statistics of how many people who accept the cash donate it to other open source projects who need the cash.

Re:But 90% accept the cash...

[think_nix]

That's not necessarily true. Is 10% higher or lower than in previous years? Is the data such that a trend can be measured? besides, I wouldn't say that cash is necessarily the a direct motivator. Identifying that a bug exists is often times easier than being able to fix it, and tipping off the people who are in a position to fix a problem in a piece of software you rely on is also a valid motivation.

Alternatively, getting your name out there as someone who is smart and gets things done can and often does lead to other opportunities.

Not only your last statement but /*I*/ refuse cash back . It is OSS so giving back is /*my personal*/ way of thanking the rest of the community for their hard work and developing a very good product as a whole , improving that product and also giving free alternatives to commercial software is the main thing /* imho*/.

Re:But 90% accept the cash...

I don't get it. How do you get "socialism" out of turning down a reward or payment? Is that what socialists do?

Re:But 90% accept the cash...

[think_nix]

Accepting offered cash does not mean that was the motivation of finding the bug in the first place.

devs have to eat right ?

Re:But 90% accept the cash...

[bsDaemon]

I admin FreeBSD and Linux systems and do a bunch of q/a work on FreeBSD-based "black box" type networking devices for a specific type of client. I don't do a lot of dev work, what I do is mostly in Perl and BASH. I didn't mean to suggest that finding the bug in the code is easy, but that knowing when there is a problem is easier than doing anything about it.

My roll in q/a involves a lot of use-case testing, and gathering packet capture and log information for use in debugging any potential issues before a production release is rolled out. I don't do any patching of the C code base, in fact it's been months since I've had to use C for anything that wasn't just for fun.

Re:But 90% accept the cash...

[underqualified]

sex > cash

Re:But 90% accept the cash...

[mcgrew]

Like the Freak Brothers said back in the seventies, "Dope will get you through times of no money better than money will get you through times of no dope.

Sex == cash.

Re:But 90% accept the cash...

hcc: missing subject in line 1, sentence 1: "Not only your last statement but refuse cash back ."

Actually

[Monkeedude1212]

There was a bug in the bug submit form. I couldn't check off the box at the bottom that said "Wants Cash".

Does that form work in Netscape?

Re:Actually

[Winckle]

Only in IE6 i'm afraid. :(

Re:Actually

[Drumster]

LOL

Re:Actually

[shadowrat]

that post WAS clever.

Goddamn Beatles!

[denzacar]

And their subliminal programing.

Job may not allow you to accept cash bounty

[catherder_finleyd]

If one were to find the bug in the course of one's job, the employer may not allow you to accept a cash bounty. This is certainly the case in the US Federal Government, as well as many Federal Contractors.

Re:Job may not allow you to accept cash bounty

[clone53421]

Reproduce the bug from home and send in the error report from there. You aren’t supposed to be using unapproved software anyway, and Firefox probably isn’t approved and installed on the computers by the IT department in most workplaces. Although, admittedly, the IT department might turn a blind eye toward people so long as they aren’t causing other problems.

Re:Job may not allow you to accept cash bounty

[thejam]

Also, your work visa may not allow you to accept cash for work of another employer.

Re:Job may not allow you to accept cash bounty

[plcurechax]

The situation may also become marginal or not worth the effort for foreigners to accept the cash, if they need to hire a tax lawyer to deal with foreign income, as most countries don't consider foreign prizes ("windfall") or "bounties" as tax-free (or zero-rate tax rate) income.

Let alone you live / work in a country that is not trusting of US Government and US organizations (think: Cuba, China, Philippines, Latin America), may consider it "proof" of being a spy. Why else would some foreign US non-profit organization group just "give" you money, you capitalist whore?

Re:Job may not allow you to accept cash bounty

My personal experience is that developers at many or most US federal contractors have no problems running Firefox.

Many workplaces will relax such rules for workers who develop software as part of their jobs, and these are the individuals who will be finding bugs in the first place.

"Often"?

[Thats_Pipe]

"... often bug finders simply turn down the cash. Between 10 percent and 15 percent ..."

Not too sure what connotations "often" has for others but 10-15% doesn't really seem that "often"

Re:"Often"?

It's pretty often when you consider that they're turning down cash for spending time finding bugs. I don't know about you but I'd be glad to take that cash off their hands.

Re:"Often"?

[correnos]

In the context of "here have some cash", 15% is pretty often.

Re:"Often"?

If one is hit by lightning every week, one would feel that one is often abused by Thor/Zeus/Mother Nature.

always > usually > often > occasionally > (rarely=seldom) > once in blue moon > never

BTW the "captcha" to submit this post was "decency" ;-)

Re:"Often"?

[easterberry]

You seem to be confusing "often" with "more often than not". They aren't the same thing.

Re:"Often"?

[MaWeiTao]

I just looked up "often" in the dictionary. The definition provides reads, "frequently, many times".

I'd say you're unclear on the definition of often.

10%-15% may be more often than expected, but by no stretch of the imagination is it often.

Re:"Often"?

You'd be amazed what people will do for free. Exhibit A: Go to any bar on a Friday night and see who provides "free" services, works best near closing time when the female patrons are drunk and lonely.

Re:"Often"?

[Twillerror]

I've never taken accounting, but when money is involved generally saying 10-15% is not a good idea.

( Number of bugs people who refused/Number of bugs submitted ) * 100

So if 1 person refused out of 4.

( 1 / 4 ) * 100 .25 * 100
25

25%

How can they only estimate 10-15%? Seems like a feeling more than a concrete report.

Re:"Often"?

[JLennox]

If this was Microsoft it would be "15% of people refuse blood money"

Re:"Often"?

[clone53421]

It probably depends on whether you calculate it based on the number of bugs whose finder refused cash or the number of researchers who refused cash for the bug reports they had submitted. The article states that over 120 bugs have been found by about 80 researchers – some of the researchers submitted more than one bug.

Re:"Often"?

[clone53421]

Both “frequently” and “many” are relative terms. You can have something occur more or less frequently than expected, or more or fewer times than expected.

“More often than not” is unambiguous and definite.

Re:"Often"?

[clone53421]

I’m personally all for accepting free blood money. You can probably put it to a more worthy use (or less destructive one, should we say) than they would if you refused it, after all.

If you want to make a point about it, it’s more effective to accept the money then turn around and give it to a charity that the blood-money givers would disapprove of.

Re:"Often"?

[mobby_6kl]

They are relative, but not completely meaningless. If you plot "often", "frequently" and perhaps "many times" on a scale from 0 to 100% ("never" to "always"), I, and I'd imagine... most people would expect to find all of the three significantly further to the right than the first tenth or 15%. The article (or the summary, I didn't RTFA) attempts to spin the story to make it sound like a higher number than it actually is.

I suggest some alternative headlines:
"Almost 90% of people take money from a non-profit for submitting bugs",
or
"Only about 10% of bug finders volunteer their effort for free".

Re:"Often"?

[clone53421]

What’s misleading about “More Than 10% of Mozilla Bug Finders Refuse Cash”?

Re:"Often"?

[mobby_6kl]

That headline is not too bad, "more than" of course means just that, a>b, but it is often used similarly to "up to". The actual number can be 10.01% and it would be still technically accurate, which is admittedly the best kind of accurate.

Mostly though, it's just the perception that it gives the reader. Would you not say that it makes this result sound good, while, let's say, "More Than 85%* of Mozilla Bug Finders Take the Cash" paint a somewhat different picture?

*Note that this is based on their highest estimate too

Multiple reasons

[randomencounter]

Some people may not be able to accept the bounty, and others may simply feel they have already gotten sufficient value (free browser!).

Though even those with altruistic motives would find it hard to turn down $3000.

Re:Multiple reasons

[shadowrat]

it's $3000! holy shit!

• step 1: contribute bug to mozilla
• step 2: report bug
• step 3: go directly to PROFIT!

nor would I accept it

[FuckingNickName]

I've helped out in projects which help the wider community but which are controlled in some way by organisations which I do not approve of. In such cases, I refuse to take anything but expenses. Benefitting from some organisation of which you disapprove is morally bankrupt, but helping out a good cause which happens to be promoted by that organisation is a fine act.

To do a bit of occupatio:

1. No, the effort in finding the bug isn't an expense, unless you're one of those consumer-citizen types who translates each hour into some cash value;

2. Something exists outside of its ownership. It is not inconsistent to judge that Firefox is good but the Mozilla Foundation is bad.

Re:nor would I accept it

this post took me 27 seconds to read... you owe me $1.75.

Re:nor would I accept it

You really expect me to believe you are worth $233.33 an hour?

Re:nor would I accept it

[shadowrat]

but nothing helps organizations more than getting something for free. what's better for BP? if the community all went down and cleaned up the gulf for free? or if they had to pay through the ass to clean it up?

(a lot of my tax dollars went to cleaning, i support that, but i would support BP paying me back w interest)

Re:nor would I accept it

[Yvanhoe]

I personally consider moral to do the opposite : provide for free a service to an organization you approve of, make pay organizations you disapprove of. I am not sure how this "moral bankruptcy thing" works.

Re:nor would I accept it

[FuckingNickName]

Assuming that some community of volunteers could reasonably do the work, then it depends on whether you think clearing up the oil spill or spiting BP is more important.

The poorest people in the world need to be left to suffer slow death by starvation, because helping them will only encourage their corrupt governments, right?

Re:nor would I accept it

[Aliotroph]

If you're going to fix the bugs anyway then why not take the money and put it into an organization you do support?

Re:nor would I accept it

[Duradin]

More papers to deal with at tax time.

Re:nor would I accept it

[FuckingNickName]

Imagine that the Puppy Killing Party of North America (Republican/Democrat/ADL/ADC/AMI/PETA/whatever sinks your boat) saw that you happened to do something in some way aligned with their mission, even if not directly killing puppies.

They approached you and said, "On behalf of the puppy killers of North America, we're happy with what you've done and we'd like to present you with this cash sum of $1500."

What would you do?

Re:nor would I accept it

[shadowrat]

Well, the important task is to clean/help. Finger pointing and punitive measures aren't going to address the situation. However, I don't see it as morally bankrupt to be compensated for that help.

Re:nor would I accept it

[clone53421]

Accept the money and donate it to the Humane Society. Then call up the local news, they’d likely want to report on it.

Re:nor would I accept it

[FuckingNickName]

The Humane Society does their report. The Puppy Killing Party counterbalances by indicating that they're not for anything inhumane, just campaigning in support of outright killing of puppies. Hell, they've proven how much they are against anything truly evil by happily giving a cash sum to you to donate to the Humane Society. The Party leader gives another $500 to show how much he cares.

And the tenth time that the Humane Society receives a $1500 donation from the Puppy Killing Party thanks to your work, how do you think things will be playing out?

When someone pays you for work you do, you're working for them. If you don't want to work for them, you have no choice but to refuse their payment.

Re:nor would I accept it

[clone53421]

I’m pretty sure the Humane Society is also against the outright killing of puppies, so your argument is completely ridiculous. And the tenth time the Humane Society receives a $1500 donation, they will have $15,000 worth of the Puppy Killing Party’s money that I have no doubt they will gladly put to better use than the Puppy Killing Party would have.

When someone pays you for work you do, you're working for them. If you don't want to work for them, you have no choice but to refuse their payment.

Sometimes you have no choice but to accept the payment and continue to do the work.

Re:nor would I accept it

[FuckingNickName]

I’m pretty sure the Humane Society is also against the outright killing of puppies,

What does "outright killing" mean? That puppies in general shouldn't be killed? We at the Puppy Killing Party of America don't believe that a puppy should necessarily be killed on sight. No, we have a set of rational criteria for puppy control. If a sensible proportion of puppies are killed, remaining puppies have the strength and resources to be properly looked after. Whereas many American so-called "humane" societies are happy to kill puppies at the request of the owner - though they'll use words like "euthanasia" and give the dog the indignity of dying in a white room with a needle - we believe in the right for humans to enjoy animal sports.

Because we're fundamentally both in favour of puppy killing, we are happy to donate this money through clone54321, who has done so much work for our cause over the past few months. Thanks to his work, our puppy-killing is now 15% more efficient.

Sometimes you have no choice but to accept the payment and continue to do the work.

Equivocation. Mine is a moral (free) choice, whereas in that case it was afaict required by law to run the ads.

Re:nor would I accept it

[Sir_Lewk]

When you start discussing the finer points of the ethics of killing puppies, you can be pretty sure that your analogy has become unwieldy.

Seeing as you are not BadAnalogyGuy (or are you??), I advise that you just let it die...

Re:nor would I accept it

[FuckingNickName]

"Give a small amount of money to a charity which is perceived as opposing you," is a classical tactic, accompanied by rhetoric (not my opinion!) to disguise the organisation's true mission. What matters here is how the de facto public relations officer for the Puppy Killing Party feels about his position.

The PKP will continue giving money as long as the drop in an ocean payment to the Humane Society continues giving such great publicity.

Re:nor would I accept it

[clone53421]

Publicity !== good publicity.

Re:nor would I accept it

[SleazyRidr]

I can see where your mindset is, but your morality should define what you do, not whether or not you get paid for it. By helping an organisation with whom you disagree, you've already betrayed your morality, so you may as well get something for it.

Re:nor would I accept it

[SleazyRidr]

When someone pays you for work you do, you're working for them. If you don't want to work for them, you have no choice but to refuse their payment.

Unless you've entered into a contract, that doesn't hold.

If I help fix your car, and you 'pay me' with a six pack of beer we're done. If you then use that car to run over orphans I won't return the beer on moral grounds. I would however refuse to help you fix your car again. (I would have refused you in the first instance if I'd known what you were going to do, but one can only act on the knowledge one has at the time.)

To fit into your analogy, I graciously accept the $2000 from the PKP, then refuse to help them again.

Re:nor would I accept it

Benefiting from some organization of which you disapprove is morally bankrupt

benefits TO such an organization is wrong; taking money from them is the opposite

Re:nor would I accept it

[FuckingNickName]

To fit into your analogy, I graciously accept the $2000 from the PKP, then refuse to help them again.

You know from the start that your work is incidentally helping the Mozilla Foundation.

But even if you didn't, what if your work happened to mean that you regularly do stuff which you find out incidentally helps the PKP (e.g. you write some open source product from which they greatly benefit)? Do you refuse further payments? Stop working on the product?

Re:nor would I accept it

[SleazyRidr]

It's all about a cost benefit analysis.

How much does the PKP benefit from my work? How much does the humane society benefit from my work? If the sums of the goods outweigh the sums of the evils then I continue. Accepting any money the PKP wants to give me.

Perhaps I would give more credence to feedback from the humane society than from the PKP, adding the features that the humane society wants, but not those that the PKP wants. If the PKP happens to incidentally benefit from an improvement I make for the humane society and chooses to send me money then that's a double-win for me.

Re:nor would I accept it

[FuckingNickName]

So... doing work which benefits an organisation is wrong, but it can be cancelled out somewhat if they pay me. IOW, getting a job at Puppy Killing Party HQ is OK as long as my salary is high enough ;-).

Look, you're not being paid for the precise value of your work to PKP (or at any non-cooperative firm, but that's another discussion). You're being given a token sum to encourage you to work more and to make them look good. No amount paid out will be sufficient to do them significant damage if used against them. If the beginnings of damage were apparent, they'd stop paying out to anyone, or add a clause stating that money would not be paid out to those who drag them into disrepute.

It's possible that you are the only completely incorruptible person in the world, aiming to channel the income only to causes which counter PKP and not letting the prospect of personal income influence you. It's further possible that you aim correctly, carefully noting such dangers as two sides of the same coin (the ostensible diametric opposition to any cause is often as bad as the original cause) and avoiding donations which can be used as PR in PKP's favour.

But to PKP you're just another productive employee.

Re:15% is not a lot

[Thiez]

It's more often than one would expect. If I walked around handing out free cash, and 49% of people refused it (that is, less than 'may be called often' according to you), that is still much more often than most people would expected.

Finding bugs could be considered a job. If 10 to 15% of people don't expect to be paid for their work, wouldn't you agree that's significantly more than expected?

Re:15% is not a lot

https://developer.mozilla.org/en/How_to_get_a_stacktrace_for_a_bug_report

https://developer.mozilla.org/en/Bug_writing_guidelines

No Money

[helix2301]

The true geek will not take the money. They respect open source and want to help the open source community. Plus it's fun to find holes in software. No to mention firefox is such a great browser why not try and make it better.

Re:No Money

[WhitePanther5000]

That's all well and good, but don't generalize. Bug fixers gotta eat too, ya know.

Re:No Money

The true geek will not take the money.

Unlike the true Scotsman, who will borrow the money.

What Nobel people...

[Itninja]

I have heard that the Nobel prize people will call and ask someone if they would accept the prize if it were offered them. If they say yes, then it's "Great! You have been offered a Noble Prize in %category%!". But if the potential winner indicates they are not really interested in material prizes, they just never offer the prize at all. That way they can say no one has ever turned down a Nobel.

I wonder if the Firefox people do the same thing in reverse. They would call the potential bounty winners (maybe just those in $1000+ range) and say something like "Hi there. This security bug you found might be worth a decent size bounty. If we offered it to you, would you actually take our money or or do something noble and selfless like allowing us to donate it? ". If the winner says they would probably just donate it, then it's all "Super! We will donate it! You're the best". If they take the money then it's "No problem. We offer you $50 for this.".

Of course I seriously doubt this happens at all. But it's fun to start vicious rumors about non-profits >:)

Re:15% is not a lot

[bsDaemon]

I'd say ~20% for often. 50%+ is "usualy" and over 75% can be "most of the time" with "nearly always" reserved for over 90%. So, depending on how you want to spin this, it can be "bug submitters nearly always accept cash," or "often times, bug submitters reject cash" (rounding 15% up to 20% for often-ness). But, as I noted in a previous post, the important thing is which way the numbers are trending, not necessarily what the numbers are, when determining how good news this is. The story title is actually pretty "fair and balanced" with how it frames it.

Something more desired than cash.

[shadowrat]

These guys are probably finding bugs in Mozilla to get laid. I know my wingmen and i have used that line to great success many times. You wouldn't believe how fast the ladies forget the fighter pilots, basketball players, and CIA agents at the bar when I tell them about a DOM parsing error i discovered!

To seal the deal i tell them i didn't want the money as i'm already super rich. Tomorrow i leave for africa to help impoverished children install Ubuntu.

Re:Something more desired than cash.

[Maarx]

These guys are probably finding bugs in Mozilla to get laid. I know my wingmen and i have used that line to great success many times. You wouldn't believe how fast the ladies forget the fighter pilots, basketball players, and CIA agents at the bar when I tell them about a DOM parsing error i discovered!

To seal the deal i tell them i didn't want the money as i'm already super rich. Tomorrow i leave for africa to help impoverished children install Ubuntu.

From Ubuntu (philosophy)

Ubuntu is an ethic or humanist philosophy focusing on people's allegiances and relations with each other. The word has its origin in the Bantu languages of southern Africa. Ubuntu is seen as a classical African concept. The Ubuntu operating system was named for this principle.

Re:Something more desired than cash.

[Monkeedude1212]

Oh man, and I thought MY post was clever.

This made my day.

Re:Something more desired than cash.

I know my wingmen and i have used that line to great success many times. You wouldn't believe how fast the ladies forget the fighter pilots

My wingmen are fighter pilots, you insensitive clod!

Percentage at work?

[GoJays]

What percentage of the individuals who find a bug are currently on work time? If 10% of found bugs are on work time then they may not be able to accept cash from another company while being paid by their current employer. Discovering a bug on work time just means you are doing your job.

They turn down the money because...

...having not to use IE is priceless.

Some even find bugs and donate money to mozilla to keep preventing them from having to use IE.

Re:15% is not a lot

[xenapan]

I work in software, so do alot of my friends, a few of em also exclusively do bug finding. Guess how often one of them tells their employer they dont want their salary? Pretty sure 10-15% is often when it comes to a job.

One good reason to refuse cash...

... is because you'll have to pay more taxes and you don't want more money being used to kill Afghan civilians.

(That is if you live in a crappy country like the US).

I'd take an official "I found a bug T-shirt"

How about a T-shirt that says "I found a Mozilla security bug" T-shirt that includes a GPG-signed copy of your name and the message from the Mozilla foundation.

Costs $10 for the Mozilla foundation, and is worth way more in bragging rights than a couple of hundred/thousand bucks.

Just sayin'

Always take the cash!

Dumb. Take the cash, donate it back, deduct it from your taxes.

In other news

[Zepalesque]

Almost 90% of Mozilla Bug Finders Accept Cash Reward!

Microsost wont pay....

[Methuselus]

because they'd go broke

Re:15% is not a lot

> If I walked around handing out free cash, and 49% of people refused it
> (that is, less than 'may be called often' according to you), that is still
> much more often than most people would expected.

In an old candid camera skit, someone tried that on TV. Had a wad of bills (today's value maybe $2), stood on a busy street corner, approaching passers by, waving a bill, saying "Fiver? Want a fiver? Here! Take a fiver! It's free!"

A vast majority of people gave him a wide berth and a dirty suspicious look - what category of a loon are you exactly?

No money, please.

[PPH]

I'll take uncut diamonds or bearer bonds.

This is capitalism!

And Microsoft is a capitalist company!

They would never pay for bugs or patches or whatever.

They are leaders in a fierce competition field; they're the ones who get to charge for bugs, not the other way around!

Zealots! (8-[