It sounds like they're just taking existing bounty money for themselves. Only if your bounty is from before 2018, you can only redeploy it, and not get your money back. Any bounty from between 2018 and today is just lost if it doesn't get claimed within 2 years. Future bounties probably won't be on this platform.
Sounds like a quick money grab while destroying your brand. Were they recently bought by a hedge fund or something?
I really wish there was a non-black-mirror way to throw a couple bucks towards putting a bounty on someones head. Doesn't have to be murder or anything. Maybe just wreck their cars and break a wrist or something.
Literally just any repercussions at all for being like this would be a nice change of pace.
That's the most nonsensical idea I've heard from a non-politician in recent memory (apologies if I have made an incorrect assumption about your employment).
What we have instead of terrible ideas like this, are laws. Unfortunately these are often designed by the same nonsensemongers mentioned above, but they are the only reasonable recourse.
Good ideas don't start off fully formed. I'm talking about the desire to have a bottom up justice system. The fact that anger is the impetus means there is a lot of potential for a slippery slope, and I cede that.
But the point stands: there are many people who've reaped nothing but benefits from being horrible, and I would gladly pitch a couple bucks to make their life miserable for a while.
If you could pitch in a couple bucks to make their life miserable for a little while, they could finance a campaign to make your life miserable for a long time.
Laws are the only reasonable recourse. They may have better access to laws and legal maneuverings, of course.
But you're measuring things incorrectly, I think. You write:
> there are many people who've reaped nothing but benefits from being horrible
Nope. They've reaped what they've sown, and they are horrible people. They might be rich or powerful, but who really cares?
So... your idea to punish rich assholes is to implement a system where you can pay money to make people miserable. Do you see the glaring flaw in this plan?
Decisions based on spite are still a bad idea. Of course this kind of cash grab should be illegal, and I really hope this case will go to trial, but justice is best dealt out without passion.
The emotional basis has a lot of influence, and is a problem regardless of emotion. But we are human. It's only through working together we can find what is and is not simply emotional by seeking the overlap.
It makes sense to have some expiry. Else you can be left holding hundreds of thousands of dollars of people's money that will never return, forever, which really complicates your finances.
Your own bank has clauses like this btw. I had to fight for my funds in a bank account I hadn't touched in seven years. And I once used a pay-as-you-go phone service that would consume your balance if you went 6 months without depositing.
But two years seems way too aggressive for this sort of project.
> It makes sense to have some expiry. Else you can be left holding hundreds of thousands of dollars of people's money that will never return, forever, which really complicates your finances.
There's a pretty simple answer here: return it to the person who posted the bounty. Other options could be letting them donate it (minus standard fees) to the maintainer(s) of the project that their bounty applied to or to an OSS organization.
The choices aren't just "Hold on to it forever" and "Take it for Bountysource." It's on the books as a liability for a reason, namely, it's not Bountysource's money.
(There's also an entire ecosystem for unclaimed property, which is where banks distribute money from customers they can't locate: https://unclaimed.org/)
Plus there's actually a way to deal with that- California operates an unclaimed funds/property division that companies are supposed to hand money over to if they don't have the right to it. My wife actually found out that she was owed money from a previous medical provider who overcharged her- just had to fill out some forms.
You can't just steal people's money because it's inconvenient to return it to them.
That's a reasonable point, but they could have addressed it without keeping everyone's money. People would be a lot less upset if you had a 30-day grace period to claim a refund whenever a bounty expired, and only forfeit it if you ignored that. But they didn't do that, and are keeping everyone's money even when returning it is possible.
Even in that case, in certain jurisdictions you are required to send the money to the government in a process called 'escheatment'. If the person comes back looking for their money after that point then they have to go to the state and prove that it is theirs in order to get it returned.
This is an interesting problem that ruined a side project I worked on. I wanted to avoid forcing people to pay monthly subscription fees so instead I let them buy "credits" and pay as they go. Unfortunately many people bought credits and then disappeared after using the product a couple of times, leaving my company with thousands of dollars we were actually holding on behalf of our customers. My accountants informed me that even though we have that money in the bank it's not really "ours," and we can't even find a lot of these people in order to refund them.
I'm not saying that what BountySource is doing is justified. In my case I need to just wind down the company because I think it would be unethical to pull this shit.
The money belongs to you, but the credits belong to the customer. If you were selling cakes, and customers hold 1000 credits, you must hold on to enough money to buy the flour for those cakes, so to speak.
California banks must follow escheatment to pass this to the state where it will be kept for you. So as a California resident this is what I'd want. I used BountySource to help out Neovim. I won't use it again.
> Else you can be left holding hundreds of thousands of dollars of people's money that will never return, forever, which really complicates your finances.
An entire legal framework already exists for just this scenario, and it doesn't involve pocketing the money.
Money and other assets are supposed to be relinquished to the state so that owner or intended recipient can collect it.
Two years could even be acceptable, but these are terms you need to specify up front. It's changing the terms on money that they already hold, that's the dirty part about this.
My partner is the Grants Manager for a UK charity. It is a large ongoing hassle for them having funds marked for specific purposes with no expiry that they can't spend. There is a mechanism there where they can apply to the Charity Commission but it's a painful process (this is on purpose).
There is no such recourse in this case so the idea makes perfect sense to me. Two years is the only bit I have an issue with - 5 would be a bit more reasonable.
If the problem is truly to avoid holding a liability then donating the money to a charity, tech-related non-profit such as the EFF, or even redistributing it across all of the other active bounties (that are actually likely to be paid out) would be much better.
What they're doing here is just a scummy cash-grab, and I am not sure how legal it is considering it applies retroactively.
Hm strange, A bit unlike Bountysource. It would make more sense if it was before 2018 and there has been no activity on the bounty/issue and even then they should offer redeploy or refund
Save and include a copy of the changed https://www.bountysource.com/terms, which says this: "2.13 Bounty Time-Out. If no Solution is accepted within two years after a Bounty is posted, then the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource. For Bounties posted before June 30, 2018, the Backer may redeploy their Bounty to a new Issue by contacting support@bountysource.com before July 1, 2020. If the Backer does not redeploy their Bounty by the deadline, the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource."
> If no Solution is accepted within two years after a Bounty is posted, then the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource.
What? Do they really want to keep the award money if nobody solves the problem?
Exactly. This also means they can make the user experience bad at finding bugs or throw in additional clauses that disqualify participating bounty hunters to claim the money themselves.
Think of Amazon's search: Finding the correct thing you want, sold by your preferred/official merchant is kind of impossible. They can pull the same thing, so the bounties stay unsolved.
I was one of the original engineers working at BountySource when it started back in 2012. It was a very humble project with positive intent that struggled with finding ways to sustain business (aka make money). When all the staff was laid off and the company later sold it was done, sad day for us all that thought we were building something good for the FOSS community and this bullshit happens.
I think some central authority not tied down to any single issue tracker or source code repository for bug bounties is still a good idea, but it will never work if the controlling entity is a single for profit organization. Let bountysource die.
That's really disappointing. I have four active campaigns which have collected already over $5000 in total, including the one Ian mentioned. I hope these issue can be resolved before the two years period expires. It would be a shame if that money would just be kept in by Bountysource.
If anyone is interested, the campaigns concern GCC and LLVM:
Not a bounty platform, but https://polyglot.network/ is a a FOSS development agency that might be more comfortable to deal with for CTOs. They work with both in-house developers and freelancers who work on FOSS.
Scary we live in a world where you can't instantly guess which of the big powers you are talking about in that last part. PRC re-education camps or Gitmo or ....
Unfortunately, illegal business models seem commonplace at least in the US. See the various food delivery companies committing fraud by misrepresenting themselves as the restaurants (buying domains & phone numbers and outranking the legitimate website on search engines), etc.
That's more of a grey area - there are at least a significant chunk of people that are happy for the taxi monopoly and the medallion system to go away.
But plain fraud where you steal money (or tips) or impersonate other businesses? I don't think anyone is going to be happy with that.
BountySource has been evil for a long time. They don't reach out to maintainers before accepting payments for arbitrary github issues - I had to email them four times to have my projects unlisted.
This information explains why changed the terms of service. They probably have a lot of bounties where the project owner doesn't know about it. I'm sure they would prefer to get that money.
Just to provide some additional context, I did a quick analysis of the active bounties on BountySource and it seems that there is approximately 230k USD total unclaimed with ~150k USD being pre-2018.
Hi
You're receiving this because we updated our Terms of Service.
Withdrawal of new Terms of Service
Yesterday, we communicated a change to the Bountysource Terms of Service (ToS) agreement.
These changes have been withdrawn and the ToS reverted to its prior state.
The ToS will be revised and clarified in the future.
OP asked for alternatives, the founder of gitcoin "a platform for you to get paid for working on open source software" comments pointing to their website. It might have been worded better but I think it's a relevant answer. (commenter is https://twitter.com/owocki)
Can backers just close and claim their bounties themselves, or ask friends to claim them? What’s the point of redeploying only to extend the clock for two years, and who knows what other crap BountySource will pull in the future.
My guess is it depends if the money they're stealing from any one project is going to be enough to justify taking them to court. My guess is that very few projects have that avenue even available to them... given they use BountySource for funding.
There is free and open source alternative written in pure Go - "donate"[1]. For now it works only with cryptocurrencies though. Another good option is OpenCollective [2]. They are completely open-source [3] but charge a substantial fee. Moreover, they integrate[4] with GitHub Sponsors seamlessly.
I guess FreedomSponsors still works (didn't try it in years), but active development stopped in 2017/2018 and communication stopped in 2015. I liked it and used it to fund some small fixes back in the day.
I would suspect that CanYa is behind this change. They I believe acquired BountySource two years ago, and probably just enough of the old guard has left for them to push this change through internally.
A non-evil motive would be that for accounting reasons that has to be kept on the books as a liability, and it's not nice to keep liabilities around indefinitely. There are lots of situations where this is the case, but where "just keep the money" is actually accepted practice. Gift cards, for instance. Also, I've seen IT support contracts where you purchase a certain number of "hours" that you spend on logged work; and those hours expire if you don't use them within 2 years.
But obviously this is completely different, since in the above two cases, you as the consumer have control over when the spend happens; you have no way of knowing if or when anyone is going to fulfill your bounty.
Yeah, I'm sure they want to clear these off the books, but I think the "right" way they could've handled this is to take their cut, and pay out the bounty to the maintainer of the project.
I have to imagine the amount of money they're looking at collecting here in the >2 year old bucket is large enough that they're willing to take the PR hit. There's probably a good chunk of change there held by now-inactive users who they're hoping won't actually do anything about the change like redirecting their funds.
It's also really sad because the open source project I contribute to is six years old, and had a couple year quiet period, but is often tackling multi-year old issues now. In our case, we don't use BountySource, but had we, we'd be looking at losing funding that we were still very much intending to earn.
> There's probably a good chunk of change there held by now-inactive users who they're hoping won't actually do anything about the change like redirecting their funds.
Or it could be exactly the opposite bucket: any bounties less than 2 years old are still subject to expiration, but they're not allowing you to redirect them when they expire.
Sounds like a quick money grab while destroying your brand. Were they recently bought by a hedge fund or something?