
BountySource have turned evil – alternatives? - pabs3
https://diziet.dreamwidth.org/5938.html
======
mcv
It sounds like they're just taking existing bounty money for themselves. Only
if your bounty is from before 2018, you can only redeploy it, and not get your
money back. Any bounty from between 2018 and today is just lost if it doesn't
get claimed within 2 years. Future bounties probably won't be on this
platform.

Sounds like a quick money grab while destroying your brand. Were they recently
bought by a hedge fund or something?

~~~
hombre_fatal
It makes sense to have some expiry. Else you can be left holding hundreds of
thousands of dollars of people's money that will never return, forever, which
really complicates your finances.

Your own bank has clauses like this btw. I had to fight for my funds in a bank
account I hadn't touched in seven years. And I once used a pay-as-you-go phone
service that would consume your balance if you went 6 months without
depositing.

But two years seems way too aggressive for this sort of project.

~~~
troydavis
> It makes sense to have some expiry. Else you can be left holding hundreds of
> thousands of dollars of people's money that will never return, forever,
> which really complicates your finances.

There's a pretty simple answer here: return it to the person who posted the
bounty. Other options could be letting them donate it (minus standard fees) to
the maintainer(s) of the project that their bounty applied to or to an OSS
organization.

The choices aren't just "Hold on to it forever" and "Take it for
Bountysource." It's on the books as a liability for a reason, namely, it's not
Bountysource's money.

(There's also an entire ecosystem for unclaimed property, which is where banks
distribute money from customers they can't locate:
[https://unclaimed.org/](https://unclaimed.org/))

~~~
rkangel
Returning it to the person who posted it may not be possible - card expired,
can't get in touch with them etc.

~~~
013a
So, because it may not be possible in what is legitimately a small minority of
cases, it should never be done in any case?

~~~
tedivm
Plus there's actually a way to deal with that- California operates an
unclaimed funds/property division that companies are supposed to hand money
over to if they don't have the right to it. My wife actually found out that
she was owed money from a previous medical provider who overcharged her- just
had to fill out some forms.

You can't just steal people's money because it's inconvenient to return it to
them.

[https://www.sco.ca.gov/upd_msg.html](https://www.sco.ca.gov/upd_msg.html)

~~~
ViViDboarder
Every state does this. It’s called escheatment.

------
troydavis
If you are a victim of this scam-as-policy, strongly consider contacting your
state Attorney General's office.

Your state AG's Web site will have a form for filing a consumer complaint.
Here are example links if you live in California or in Washington State:

[https://oag.ca.gov/contact/consumer-complaint-against-
busine...](https://oag.ca.gov/contact/consumer-complaint-against-business-or-
company)

[https://www.atg.wa.gov/consumer-issues](https://www.atg.wa.gov/consumer-
issues)

Save and include a copy of the changed
[https://www.bountysource.com/terms](https://www.bountysource.com/terms),
which says this: "2.13 Bounty Time-Out. If no Solution is accepted within two
years after a Bounty is posted, then the Bounty will be withdrawn and the
amount posted for the Bounty will be retained by Bountysource. For Bounties
posted before June 30, 2018, the Backer may redeploy their Bounty to a new
Issue by contacting support@bountysource.com before July 1, 2020. If the
Backer does not redeploy their Bounty by the deadline, the Bounty will be
withdrawn and the amount posted for the Bounty will be retained by
Bountysource."

~~~
truglobalvagina
They reverted the terms and withdrew the changes.

------
csunbird
> If no Solution is accepted within two years after a Bounty is posted, then
> the Bounty will be withdrawn and the amount posted for the Bounty will be
> retained by Bountysource.

What? Do they really want to keep the award money if nobody solves the
problem?

~~~
nolok
It means they have a direct interest in making sure nobody solves the problem
and win the bounty.

~~~
csunbird
Exactly. This also means they can make the user experience bad at finding bugs
or throw in additional clauses that disqualify participating bounty hunters to
claim the money themselves.

Think of Amazon's search: Finding the correct thing you want, sold by your
preferred/official merchant is kind of impossible. They can pull the same
thing, so the bounties stay unsolved.

------
coryyaboix
I was one of the original engineers working at BountySource when it started
back in 2012. It was a very humble project with positive intent that struggled
with finding ways to sustain business (aka make money). When all the staff was
laid off and the company later sold it was done, sad day for us all that
thought we were building something good for the FOSS community and this
bullshit happens.

I think some central authority not tied down to any single issue tracker or
source code repository for bug bounties is still a good idea, but it will
never work if the controlling entity is a single for profit organization. Let
bountysource die.

~~~
corytheboyd
woops posted that from a different account, this is my main one :p

~~~
renewiltord
Oh thanks for that insight. I'll delete my account!

~~~
coryyaboix
Okay

------
cbmuser
That's really disappointing. I have four active campaigns which have collected
already over $5000 in total, including the one Ian mentioned. I hope these
issue can be resolved before the two years period expires. It would be a shame
if that money would just be kept in by Bountysource.

If anyone is interested, the campaigns concern GCC and LLVM:

> [https://www.bountysource.com/issues/84630749-avr-convert-
> the...](https://www.bountysource.com/issues/84630749-avr-convert-the-
> backend-to-mode_cc-so-it-can-be-kept-in-future-releases)

> [https://www.bountysource.com/issues/91495157-vax-convert-
> the...](https://www.bountysource.com/issues/91495157-vax-convert-the-
> backend-to-mode_cc-so-it-can-be-kept-in-future-releases)

> [https://www.bountysource.com/issues/90829856-llvm-
> complete-t...](https://www.bountysource.com/issues/90829856-llvm-complete-
> the-m68000-backend-so-it-can-be-merged-upstream)

> [https://www.bountysource.com/issues/86138921-rfe-add-a-
> front...](https://www.bountysource.com/issues/86138921-rfe-add-a-frontend-
> for-the-rust-programming-language)

------
buovjaga
All the alternatives to BountySource seem to be coupled with GitHub, which is
rather non-optimal:

[https://gitpay.me/](https://gitpay.me/)

[https://issuehunt.io/](https://issuehunt.io/)

[https://gitcoin.co/landing](https://gitcoin.co/landing)

[https://tip4commit.com/](https://tip4commit.com/)

Is there any actively-maintained FOSS bounty platform without the GitHub
dependency?

~~~
jzebedee
What's wrong with GitHub?

~~~
zucker42
In addition to the reasons GitHub is "bad", people may just prefer to use
other hosting platforms.

~~~
esperent
> In addition to the reasons GitHub is "bad"

Reasons such as?

~~~
E5JBK7UJPT
The fact that it is closed source and owned by Microsoft.

------
zucker42
Seriously, they just unilaterally decided to take money from projects? Am I
understanding this right? Surely that's a huge breach of contract.

~~~
slenk
I am trying to understand this as well. It seems straight up illegal

~~~
Nextgrid
Unfortunately, illegal business models seem commonplace at least in the US.
See the various food delivery companies committing fraud by misrepresenting
themselves as the restaurants (buying domains & phone numbers and outranking
the legitimate website on search engines), etc.

~~~
rideontime
And the various taxi companies ignoring regulations by calling themselves
"rideshares"!

~~~
Nextgrid
That's more of a grey area - there are at least a significant chunk of people
that are happy for the taxi monopoly and the medallion system to go away.

But plain fraud where you steal money (or tips) or impersonate other
businesses? I don't think anyone is going to be happy with that.

------
Doctor_Fegg
Probably best not to email suppport@bountysource.com with three Ps if you want
your email answered.

~~~
pm215
Thanks for noting the typo -- I mentioned it to Diziet, who has now corrected
the error.

------
ddevault
BountySource has been evil for a long time. They don't reach out to
maintainers before accepting payments for arbitrary github issues - I had to
email them _four times_ to have my projects unlisted.

~~~
lokedhs
This information explains why changed the terms of service. They probably have
a lot of bounties where the project owner doesn't know about it. I'm sure they
would prefer to get that money.

------
josephcsible
They reversed course!
[https://github.com/bountysource/core/pull/1498/commits/b9774...](https://github.com/bountysource/core/pull/1498/commits/b9774692fa72ab96021d6ac6113aa08c0abf8c7a)

~~~
dundarious
Yes, I just received the following e-mail:

Hi You're receiving this because we updated our Terms of Service.

Withdrawal of new Terms of Service Yesterday, we communicated a change to the
Bountysource Terms of Service (ToS) agreement. These changes have been
withdrawn and the ToS reverted to its prior state. The ToS will be revised and
clarified in the future.

Thankyou

Bountysource Team support@bountysource.com

------
ksowocki
hi from gitcoin

more on us: [https://gitcoin.co/mission](https://gitcoin.co/mission)
[https://gitcoin.co/results](https://gitcoin.co/results)

~~~
mtmail
OP asked for alternatives, the founder of gitcoin "a platform for you to get
paid for working on open source software" comments pointing to their website.
It might have been worded better but I think it's a relevant answer.
(commenter is [https://twitter.com/owocki](https://twitter.com/owocki))

~~~
spuz
Yeah, not sure why ksowocki was downvoted...

~~~
ksowocki
sorry if i broke any rules yall.

------
oefrha
Can backers just close and claim their bounties themselves, or ask friends to
claim them? What’s the point of redeploying only to extend the clock for two
years, and who knows what other crap BountySource will pull in the future.

------
wlkr
Just to provide some additional context, I did a quick analysis of the active
bounties on BountySource and it seems that there is approximately 230k USD
total unclaimed with ~150k USD being pre-2018.

------
devit
That seems outright illegal misappropriation of funds, not just being "evil".

~~~
ocdtrekkie
My guess is it depends if the money they're stealing from any one project is
going to be enough to justify taking them to court. My guess is that very few
projects have that avenue even available to them... given they use
BountySource for funding.

~~~
zucker42
A class action may be possible. Or reporting them to the relevant prosecutor
or consumer protection agency.

------
hirundo
Their new business model would be more clear if they changed the name to
BountySink.

------
wizzwizz4
[https://alternativeto.net/software/bountysource/](https://alternativeto.net/software/bountysource/)
has a pretty good list. I immediately spot
[https://freedomsponsors.org/](https://freedomsponsors.org/).

~~~
sigio
The freedomsponsors.org one doesn't render correctly and gives warning popups
on both firefox and chromium here. Doesn't look very assuring.

~~~
wizzwizz4
It works on my machine. The layout is fairly vertical, but I think it's meant
to look like that. (And what warning message?)

------
xvilka
There is free and open source alternative written in pure Go - "donate"[1].
For now it works only with cryptocurrencies though. Another good option is
OpenCollective [2]. They are completely open-source [3] but charge a
substantial fee. Moreover, they integrate[4] with GitHub Sponsors seamlessly.

[1] [https://github.com/jollheef/donate](https://github.com/jollheef/donate)

[2] [https://opencollective.com/](https://opencollective.com/)

[3] [https://github.com/opencollective](https://github.com/opencollective)

[4] [https://docs.opencollective.com/help/collectives/github-
spon...](https://docs.opencollective.com/help/collectives/github-sponsors)

------
pabs3
Some others are listed on the FOSSjobs resources wiki page:

[https://github.com/fossjobs/fossjobs/wiki/resources#bounties](https://github.com/fossjobs/fossjobs/wiki/resources#bounties)

~~~
buovjaga
FOSS Factory is in zombie mode.

I guess FreedomSponsors still works (didn't try it in years), but active
development stopped in 2017/2018 and communication stopped in 2015. I liked it
and used it to fund some small fixes back in the day.

------
eeZah7Ux
What's the process to delete a BountySource account and have your data
removed?

------
mattbk1
[https://liberapay.com](https://liberapay.com), although not coupled to git,
is "designed to provide a stable crowdfunded basic income to creators."

~~~
cjm42
Which is basically the opposite of a bounty system. Liberapay is no substitute
for BountySource; instead, it's competing with services like Patreon.

------
ip_addr
I received an email that they reverted the tos to the previous version.

[https://pastebin.com/raw/7bmHFK5w](https://pastebin.com/raw/7bmHFK5w)

------
scandox
Can someone please build an evil-o-meter? Just send me an email when a
company/service changes ownership or TOS.

Thanks in advance.

------
icanhay
The alternative I prefer for funding open source is Supso.org, seems like the
best method IMO

------
rshnotsecure
I would suspect that CanYa is behind this change. They I believe acquired
BountySource two years ago, and probably just enough of the old guard has left
for them to push this change through internally.

Not sure what the motive would be though.

~~~
gwd
> Not sure what the motive would be though.

A non-evil motive would be that for accounting reasons that has to be kept on
the books as a liability, and it's not nice to keep liabilities around
indefinitely. There are lots of situations where this is the case, but where
"just keep the money" is actually accepted practice. Gift cards, for instance.
Also, I've seen IT support contracts where you purchase a certain number of
"hours" that you spend on logged work; and those hours expire if you don't use
them within 2 years.

But obviously this is completely different, since in the above two cases, you
as the consumer have control over when the spend happens; you have no way of
knowing if or when anyone is going to fulfill your bounty.

~~~
ocdtrekkie
Yeah, I'm sure they want to clear these off the books, but I think the "right"
way they could've handled this is to take their cut, and pay out the bounty to
the maintainer of the project.

I have to imagine the amount of money they're looking at collecting here in
the >2 year old bucket is large enough that they're willing to take the PR
hit. There's probably a good chunk of change there held by now-inactive users
who they're hoping won't actually do anything about the change like
redirecting their funds.

It's also really sad because the open source project I contribute to is six
years old, and had a couple year quiet period, but is often tackling multi-
year old issues now. In our case, we don't use BountySource, but had we, we'd
be looking at losing funding that we were still very much intending to earn.

~~~
josephcsible
> There's probably a good chunk of change there held by now-inactive users who
> they're hoping won't actually do anything about the change like redirecting
> their funds.

Or it could be exactly the opposite bucket: any bounties less than 2 years old
are still subject to expiration, but they're not allowing you to redirect them
when they expire.

