On Tue, Sep 15, 2009 at 7:49 PM, George Herbert george.herbert@gmail.comwrote:
On Tue, Sep 15, 2009 at 4:40 PM, Anthony wikimail@inbox.org wrote:
On Tue, Sep 15, 2009 at 7:33 PM, Chad innocentkiller@gmail.com wrote:
Well thankfully the majority of 3rd party users have a better feeling about reporting bugs when they find them.
I'm not sure where you got the statistics for that statement, but hey,
you
should publicize it. "Mediawiki - more than half of discovered vulnerabilities are fixed!"
Anthony, that was uncalled for. Nobody has suggested that identified bugs aren't fixed.
I have.
Nobody has suggested that reported bugs aren't fixed.
I've seen instances of that as well. Not something I feel I should publicize, but if you look on this very list you'll see instances of serious bugs which are reported and aren't fixed.
You are under no legal responsibility to report new bugs you may be
aware of, but if you claim to have any interest in the Wikimedia / Wikipedia communities you should have a moral responsibility to do so.
In the case of these particular bugs, no, I have no interest in seeing them fixed, at least not at the present time.
Commercial vendors that charge for software may, at their discretion,
offer bug bounties - that's normal. Asking open source developers for bounties is not moral or ethical - there's no fee for using the software, why ask for a fee for helping improve it by reporting bugs?
I don't see anything immoral or unethical about asking. And I see nothing immoral or unethical about withholding information about them. It would be immoral if I exploited them, or if I told other people how to exploit them without first telling the WMF, but not if I simply sit on the information and do nothing about it.
Why ask for a fee? Why does anyone ask for a fee for anything? Because I might get it. I also think it would have been incomplete for me to have simply answered with "No thanks."
We can't make you do it, but you should. If you won't, perhaps you
should just drop off the project membership emails and find something else to do - someone sitting here on these lists taunting "I know about bugs that you don't", if persistent, would be a gross violation of etiquette.
I only brought it up because someone implied that the organization I am a member of was publishing lies.