Figure out bug bounty system

[mkurz]

As suggested by @ennru, we might want to introduce a bug bounty system. Here is the JHipster story: https://blog.opencollective.com/jhipsters-bounty-system-and-how-it-saved-the-project/ Also please have a look at their sponsors page, that describes their current system: https://www.jhipster.tech/sponsors/ Basically they tag an issue as "bug-bounty" and an amount (ranging from $100 to $500): Here is the list of issues with bounties so far: https://github.com/jhipster/generator-jhipster/pulls?q=label%3A%22%24%24+bug-bounty+%24%24%22 (However not sure if they have other repos using that tags as well, didn't check)

I am totally open for a bug bounty system like JHipster has, so everyone that contributes can claim money for their time invested, however IMHO I think we should take a hybrid approach. That means that core contributors that decide to work on Play part time or full time, should get paid accordingly on a monthly or weekly basis, in addition to contributors that can claim money for certain issues/pull requests. Based on my own experience, there is always quite a lot of work to do which doesn't get tracked by an issue or pull request, so just paying a core contributor that works on the project part time or full time based on bounties tagged to an issue/pr wouldn't be fair. (That's just my opinion however). I had a look at the JHipster payouts and even they did not just pay out only bounties, they did have weeks were a dev was working full time on it: They did that for a couple of weeks as far as I can see (Also it looks like all of the JHipster core team members are employed as full time devs for different companies anyway).

Compared to socket.io were the main dev gets a monthly payout (they do not have a bug bounty system however):

However, to realize such a hybrid system, we need sponsors that give enough money to make it happen...

[ennru]

Yes, I definitely think Play needs a hybrid approach. Bug bounties are a way to attract financial contributors that want some direct access to decide what issues get focus.

Especially the playframework repo requires a lot of regular maintenance that isn't tracked in issues at all, so I expect reguglar "Project maintenance" payouts are necessary.

[octonato]

@mkurz, on top of everything you said, there is one other reason to put aside money to pay core contributors.

There are a lot of administrative tasks that a core contributor will need to take. Including reviewing and refining contributions, specially those tagged by 'bounty'. If an issue gets $500 price tag, we want to be sure that the provided fix won't introduce any regression, is backward compatible, code conventions are followed, etc.

And we all now that this requires lots of time from the maintainers.

But it's pretty much of what you said, such a system will require sponsors. The ideal situation would be to get enough sponsoring to have you covered if not full time at least part-time.

[gmethvin]

I like the concept of having bug bounties for sponsors at certain levels, though I'm not sure where it's best to set those levels.

For right now I feel like we should focus on finding sponsors who care about the project as a whole, then once we have some sponsors we can start introducing bug bounties.

[AlexITC]

I think this is a nice idea because it can motivate outside people to fix issues that the ongoing team can't prioritize.

Still, I feel that the priority should be to get enough budget to pay the ongoing team, once that's sorted out, bug bounties could be worth evaluating.

Alternatively, every company could be free to advertise a bug-bounty for something they need.

[mkurz]

Alright, let's introduce bug bounties later, when we have enough budget. Like said, I too think it's a great idea that's definitely worth at least trying, however let's focus on other things first.