Hacker News new | past | comments | ask | show | jobs | submit login

I agree on all of this.

However, since Colin presumably doesn't want to raise his prices to pay for actual review, it is encouraging that he is at least going with bug bounties. These, at the very least, gives us a good excuse to assign them as fun things to do for graduate students with some hope that one will want to procrastinate so hard that they will actually look at the code.

Also I think any reviewer who wanted to get paid would not start with Colin's code as an easy place to find bugs.




This is one reason why I'm going to be providing bounties for more than just security bugs. Even if people don't expect to find security bugs, they might find a typo in a comment and earn themselves a $1 tarsnap account credit -- and as demonstrated here, simply looking at source code can result in finding bugs even if you weren't originally looking for them.


Clever. Especially since "normal" bugs occasionally have that nasty habit of turning into security relevant bugs.

It will be interesting to see how close you can manage to get something resembling good review on a budget. Hopefully other people who are in similar low margin code businesses will keep an eye on your experiment to see how it works out.

Thanks for being so open about how you're trying to make things work. I hope you'll be publishing all the awarded bounties? (I suppose I should just wait for your follow-up entry.)


Yes, I'll find somewhere on the website to put that list.


Finding a bug in tarsnap is something that might be worth considerably more than your bounty to the highest bidder.


Quite likely. But fortunately for me, most people get nervous at the idea of negotiating with organized crime syndicates.


Not that I've seen, but I might have a different view of what constitutes an organized crime syndicate than you do.


Does the government count?


shhhhh! they might be listening. illegally.


They can sue you for making this hypothesis publicly, please think of it (in your interest).


"since Colin presumably doesn't want to raise his prices to pay for actual review"

Speaking as a Tarsnap user, he ought to. The service is seriously underpriced right now.


I think there's a limited market that would pay for this now, you say you would, other users say they would. But this is not something he can offer to only some users as an extra feature, so all his users would have to be comfortable with it. From a business perspective, I imagine he has done testing to figure out what price is right and from a security perspective it would probably is not too unreasonable if he just waited until he had enough volume to allow this to happen with only very limited price increases or at his current margins.

In the meantime, the bug bounty + very qualified developer strategy seems like a reasonably sensible option while the service is presumably, still in its growth phase. I guess we'll find out.


Amen on that! Tarsnap is a key tool in my stack and I feel like I pay 1/10 of what it is worth relative to the other tools.


Yes, thanks Colin, Tarsnap really is gold on today's "cloud era".




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: