Paying Bounties for Finding and Creating Issues for Bugs on Gitcoin (Bug Bounties!)

[mkosowsk]

User Story

As a User of Gitcoin I want to have a user experience that is free of bugs So that I can get the most out of the platform in a streamlined fashion.

Why Is this Needed?

Currently there are a lot of great developers working on a lot of different issues on the https://github.com/gitcoinco/web project, which is awesome! However because there are so many different people working on so many different things it's difficult to QA everything that gets pulled into the project and sometimes bugs slip through. Wouldn't it be great if there was a way to incentivize our community to find and report bugs on Staging and/or Production for Gitcoin so that bugs could be brought to light before breaking UX on the web app?

That's exactly what this ticket is designed for!

Quick notes on this model and its relation to other things going on in the Gitcoin ecosystem. There currently is the

0. Standard model for Gitcoin of having projects bounty up their existing issues (either features or bugs), making them discoverable on the Gitcoin platform, and then paying out devs that complete successful PR's. This has been quite successful!
1. A different model of having Gitcoin users disperse and go out to projects to find issues that are appropriate for bountying per https://github.com/gitcoinco/web/issues/671 and bringing them back to Gitcoin. I really like this idea as well! 👍
2. The model currently being written about in this issue is about bountying the finding and reporting of bugs via creation of issues and is separate and distinct from the previous two models (previously discussed in https://github.com/gitcoinco/GIPs/issues/5)

I believe all the models are separate and serve different purposes, but can all coexist to further the Gitcoin platform :)

Description

This issue would serve as a pilot study for Bug Bounties. I plan to seed this issue with 0.3 ETH (currently around $109 USD) which I will tip out to Bounty Hunters who successfully meet the following criteria. I am aiming to give out 6 bounties over the course of the Bug Hunt so split evenly that would amount to around $18 USD each, although bugs that are especially pernicious could warrant a larger bounty. I plan on opening the Bug Hunt on April 3rd (Tuesday) end-of-day and closing it the following Tuesday on April 10th end-of-day or by the time I exhaust the 0.3 ETH, whichever comes first.

Acceptance Criteria

0. Bounty Hunter finds bug for Gitcoin that is NOT documented in https://github.com/gitcoinco/web/issues/
1. Bounty Hunter creates issue on https://github.com/gitcoinco/web with the following fields filled out A. Steps to Reproduce (steps should be detailed enough to allow someone not familiar with the platform to still reproduce the behavior) B. Expected Behavior C. Actual Behavior (i.e. the bug) D. Screenshots (for UI bugs)
2. Bounty Hunter makes a comment in this issue and links to their newly created issue.
3. Gitcoin community determines Bounty Hunter satisfies previous Acceptance Criteria and provides feedback as needed
4. Bounty Hunter applies feedback as needed
5. Bounty Hunter is tipped the bounty by @mkosowsk :)

In Scope

0. Finding a creating issues for bugs found on the https://gitcoin.co/ platform. TODO should this be just on Staging or Production or Both? If Staging, which Staging?

Out of Scope

0. Resolving these bugs. This issue is meant only for finding bugs and NOT for their resolution.

Interested and receptive to feedback 💪🏻🤠👍🏻@PixelantDesign @owocki @mbeacom @vs77bb @thelostone-mc

[thelostone-mc]

Oh I like this ! :D This would be easy to test out within gitcoin community. Would encourage the folks to join and give it a shot !

Being paid to report bugs is something which is done today in many companies and it works well !

( Thinking ahead : This would work even with other open source repo! Incentivizing bug reporting does encourage folks to find loopholes and repo owners would love being notified about it )

[owocki]

we did something similar to this before, although we graded the bugs found via the OWASP model last time we did it. i think that was effective to prevent people from just going for low hanging fruit and actually incentivizing them to look for critical bugs (as opposed to just finding a random Android variant layout issue)

[mkosowsk]

@owocki Interesting, I hadn't seen this before! I will process later :)

I think things like OWASP vulnerabilities should definitely be front and center but even things like finding and documenting low-hanging fruit a la layout issues in different environments do add value to the platform and are worth a bounty of .05 ETH/~$20 USD. These issues do hurt the UX of Gitcoin for some users and documenting them could be a good way to get beginners excited about the platform by adding value with the skillset they have 👍🏻

I think a vulnerability with something like OWASP is worth much more as demonstrated with https://github.com/gitcoinco/web/issues/38... the tip at the time was close to $2000 USD 😳is that the highest amount of fiat equivalent paid out ever in a Gitcoin tip?

[vs77bb]

I like this for a bug hunting spree, which helps us track down a lot of little things that add up to funny experiences. This could help us track down and fix issues related to the core platform, which continues to be a key focus area for us.

Thoughts @mbeacom @PixelantDesign?

[PixelantDesign]

Great idea! I like!

[mkosowsk]

@mbeacom @vs77bb great! Will go live in a few hours :)

[mkosowsk]

This is now live, making a comment on the Slack 😍

[mkosowsk]

First bug bounty claimed by @kziemianek per https://github.com/gitcoinco/web/issues/786 !!! Congrats :)

[mkosowsk]

1/6, 5 more to go 😍

[vs77bb]

@mkosowsk Is @kziemianek eligible for more? 🤔 Great bounty!

[mkosowsk]

@vs77bb yep, @kziemianek is absolutely eligible for more! There's nothing in the post limiting number of bugs submitted by a Contributor... no reason to stop someone from contributing more great work to help the platform!

Also, it looks like there's nothing in the rulebook that says a dog can't play basketball 🤔

@kziemianek https://github.com/gitcoinco/web/issues/787 is also eligible for a bounty per this pilot study, would you like a payout of 0.05 ETH for that one as well? If you're tired of me asking if you'd like a payout for issues you open, just make a quick comment in this issue linking to the one you created so it's clear what your intent is 👍🏻

As a side note, my twin sister @ekos26 is getting into software and thinks she may have found a bug to report per this ticket. She's looking to open her first issue on Github for it! 😍😍😍

[ekos26]

@mkosowsk please take a look at https://github.com/gitcoinco/web/issues/806 when you have some cycles

thanks!

[mkosowsk]

@ekos26 will take a look in a little bit :) nice work!

Bounty 2/6 claimed by the excellent @eswarasai per https://github.com/gitcoinco/web/pull/807. Great work!

[mkosowsk]

Bounty 3/6 of pilot study claimed by my twin sister @ekos26 per https://github.com/gitcoinco/web/issues/806. Great work!

How much time will it take until you're a better dev than me? 🤔

[abitrolly]

Not many people know about this issue. It will be better to just monitor open bugs through GitHub API like https://github.com/gitcoinco/web/pulse/halfweekly and add some labels/bot-commands like triage and confirm-bounty that project members can issue to award people.

[mkosowsk]

Yeah, it doesn't seem that I did a super great job of getting the word out for this 🤔 All I did was share a LinkedIn post and make a post in the #community-general channel of the Gitcoin slack: https://gitcoincommunity.slack.com/

@owocki @vs77bb do you think something like this pilot study would warrant a bullet point in the Gitcoin newsletter later down the line?

One of the main ideas behind this pilot study was to incentivize people going out and finding bugs and then documenting them, but I've kinda been going around this by alerting people that are reporting bugs to this issue after they've posted their bugs. This is opposed to people going out and finding bugs because of this issue, basically incentivizing people to get more eyes on the project

@abitrolly do you feel that using labels/bot-commands like triage and confirm-bounty would incentivize people in the community to find and document bugs that they otherwise wouldn't have done? Do you think it makes sense to have a weekly budget of something like $100 USD worth of ETH that is paid out every week for bug bounties or to save up for a bug hunt that is done once a month or so? I am leaning toward the weekly approach at the moment just because I like the consistency but am open to feedback 👍🏻

Thanks for your feedback! 👍 👍 👍

[mkosowsk]

Bounty 4/6 of pilot study claimed by @abitrolly per https://github.com/gitcoinco/web/issues/817. Great work!

[mkosowsk]

Bounty 5/6 of pilot study claimed by @eswarasai per #819. Great work!

[mbeacom]

819 was an automated GH issue created by rollbar. 🤔

[thelostone-mc]

@eswarasai well played :P

[eswarasai]

@mbeacom -- Yep. Because I was testing 😛

[abitrolly]

@mkosowsk yes, the process is to create a funnel in which all reported bugs are nominated for a bounty. This will incentivize to report even minor issues that people are lazy to report. Not sure about the quality - sooner or later people start to think about actual value in USD (because we are showing actual value in USD) - so there could be bonus points for quality reports.

Weekly fund that gets distributed semi-automatically just saves time.

[mkosowsk]

@abitrolly makes sense to me! 👍 will keep that guidance in mind :)

@mbeacom @eswarasai @thelostone-mc I wrote up this issue and had part of the Acceptance Criteria be Bounty Hunter makes a comment in this issue and links to their newly created issue.

but was pretty lenient with this. I went out and funded bounties for issues for bugs that people created and didn't link back to this issue and even for ones on Slack per @eswarasai... the only one that followed the instructions to the letter was my dear twin sister @ekos26 😂

I think this speaks to @abitrolly's point of

Not many people know about this issue. It will be better to just monitor open bugs through GitHub API like gitcoinco/web/pulse/halfweekly and add some labels/bot-commands like triage and confirm-bounty that project members can issue to award people.

We want to limit as much friction as possible for bug hunters and having them have to link back to another issue is definitely friction. I'm digging this suggestion of monitoring Github API for relevant bugs and just having a running weekly fund of something like $50-100 worth of ETH for bountying finding and documenting bugs. The word will get out as bounties are paid out and think this relatively modest budget would have an outsized effect on finding new defects or regressions on Gitcoin (and could serve as a model for other projects that use Gitcoin)

[abitrolly]

I feel like I can almost write a whitepaper on that Weekly value dashboard. :)

[mkosowsk]

@abitrolly sending you a quick email :) long story short did this pilot study as proof-of-concept as one way to onboard new repos onto the Gitcoin platform and am super interested in your feedback 👍🏻

[JDFind]

Hello @mkosowsk! Is issue #854 eligible for a tip?

[mkosowsk]

@JDFind you bet it is! Great find :) You are the 6th and final bounty for this pilot study... sending over now 👍🏻

[mkosowsk]

Bounty 6/6 of pilot study claimed by @JDFind per #854. Great work!

That wraps up the pilot study, thanks to all the participants! @kziemianek @eswarasai @ekos26 @abitrolly @JDFind

Please provide any feedback you have for the study, both positive and constructive :)

I think this pilot study supports the concept of a continuous weekly bug hunt that is funded by an ETH equivalent of something like $100 USD. Gonna do some processing and will come back to the community with some additional thoughts... right now I'm thinking to use both the gitcoinco/web/pulse/halfweekly solution with labels as well as making a new issue every week for a bug hunt.

The new issue every week does clutter the issues up a bit but I think it's worth it if the community learns about posting their created issues in the given bug hunt issue, makes it easy to be alerted quickly to someone who has found a pressing issue 🤔

[JDFind]

Thank you! Glad I could help.

[abitrolly]

Looking forward to get more funds to play with gitcoin.co bugs. :grinning:

[mkosowsk]

@abitrolly stay tuned! In the meantime, if you want to flex your Project Management skillset and get paid to groom out tickets, this is the current pilot study I'm helping uPort with: https://github.com/uport-project/buidlbox/issues/5

uPort and @KamesCG has just launched and funded a bunch of interesting issues for their uport-project repo, check them out!

150 DAI ($150 USD): [Ideas] More Smart Contract Transaction Signing Demos using uPort Mobile App at https://github.com/uport-project/buidlbox/issues/3

And if you've got Wordpress experience:

75 DAI ($75 USD): [Development] Create Wordpress Plugin File Structure - PHP | Intermediate at https://github.com/uport-project/uport-wordpress-plugin/issues/1

300 DAI ($300 USD): [Feature] uPort "Passwordless" Login using Wordpress Authentication - Javascipt/PHP | Advanced at https://github.com/uport-project/uport-wordpress-plugin/issues/2

Happy hunting! 👍🏻