On Tue, Sep 15, 2009 at 7:49 PM, George Herbert <george.herbert(a)gmail.com>wrote;wrote:
On Tue, Sep 15, 2009 at 4:40 PM, Anthony
On Tue, Sep 15, 2009 at 7:33 PM, Chad
Well thankfully the majority of 3rd party users
have a better feeling
about reporting bugs when they find them.
I'm not sure where you got the statistics for that statement, but hey,
should publicize it. "Mediawiki - more than
half of discovered
vulnerabilities are fixed!"
Anthony, that was uncalled for. Nobody has suggested that identified
bugs aren't fixed.
Nobody has suggested that reported bugs aren't
I've seen instances of that as well. Not something I feel I should
publicize, but if you look on this very list you'll see instances of serious
bugs which are reported and aren't fixed.
You are under no legal responsibility to report new bugs you may be
aware of, but if you claim to have any interest in the
Wikipedia communities you should have a moral responsibility to do so.
In the case of these particular bugs, no, I have no interest in seeing them
fixed, at least not at the present time.
Commercial vendors that charge for software may, at their discretion,
offer bug bounties - that's normal. Asking open
source developers for
bounties is not moral or ethical - there's no fee for using the
software, why ask for a fee for helping improve it by reporting bugs?
I don't see anything immoral or unethical about asking. And I see nothing
immoral or unethical about withholding information about them. It would be
immoral if I exploited them, or if I told other people how to exploit them
without first telling the WMF, but not if I simply sit on the information
and do nothing about it.
Why ask for a fee? Why does anyone ask for a fee for anything? Because I
might get it. I also think it would have been incomplete for me to have
simply answered with "No thanks."
We can't make you do it, but you should. If you won't, perhaps you
should just drop off the project membership emails and
else to do - someone sitting here on these lists taunting "I know
about bugs that you don't", if persistent, would be a gross violation
I only brought it up because someone implied that the organization I am a
member of was publishing lies.