Bug bounty program


Hello folks :slight_smile: ,

Today I would like to revive a topic: Bug bounties. The subject was shut down just before the ML issue but I would like to restart it now.

Hoa requires an important amount of time. Liip, for instance, is sponsoring me at a rate of 5% of my time, to work on Hoa. This is an excellent news for the project. We have other sponsors, like VeryLastRoom that provides a constant source of revenues, thanks! Other sponsors provide other kind of resources for the project, thanks to them too.

But Hoa is more and more used and popular. While we are all volunteers, I would like to set up a bug bounty program. Let me summarize why:

  1. Motivation, I reckon it will motivate us to work on some hard or cumbersome bugs, like the refactoring of some libraries,
  2. Solid projects, all the collected money will go to the Hoa Foundation. As a reminder, here is the status:
    It aims to support the Hoa project by developing, deploying and promoting the free softwares from Hoa Project, its derivatives and associated projects.
    Thus, it will be easier to communicate around the projects by sending people in conferences, organizing our own conferences, and more importantly share our revenues with other projects we are depending on, like atoum (or PHPBench in a near future I hope). The goal is not to be rich but to create a solid and strong ecosystem on top of PHP and around Hoa,
  3. Acknowledgement, most of the time a contributor is doing an incredible amount of work, a new snapshot is released, it’s downloaded, great… but… nothing else. Even inside the Hoa’s community, we are happy but we do not express it more than it would deserve. Recently, @pierozi has set up TLS for all Hoa’s domains, @ashgenesis is organizing and coordinating Hoa Virtual Meetings every month and he is preparing the birth of PHP 7.1 on 2 fronts (Hoa and atoum), @Metalaka has done constant efforts on all libraries, just like @shulard. That’s few examples, but it deserves something special, and time to times, I think we could give them a gift (direct money or something else).

Because we are a set of libraries, few people cares about us. Let’s face it ;-). We already know this fact, this is not new. This is the industry behavior. We are the last piece of the chain. So we are not going to make millions of euros, don’t expect that. However, if we can distribute 100 or 200€ sometimes, it will be an excellent news for everyone I guess.

If you agree, I would like to go to BountySource, I guess they are good.

Thanks for reading.

Do you think this is a good idea? Do you think motivations are correct? Thoughts?


For me it could be interesting if we have enough ressource to pay the minimal stuff like servers, some meeting, etc.

In this case, yes we can invest money in a reward bounty. But for me we should use with care and not abuse of it.


How could we abuse of it? When we are talking about money, we must be clear about the goals ;-).


I think it’s a good idea and that can popularize the project more on international plan. I agree a bit with @Grummfy about more spread money on server resources, events, talks…

Rather than peoples, we do not want to be an organisation who paid for PR. I think gift should be better, like Goodies, Book, Licences…

Have you some example of other project on BountySource? i don’t know this platform.


@Grummfy @pierozi Sure the money will serve Hoa Foundation first, like its infrastructure, events etc…

@pierozi NeoVim, Mozilla, PHP, ownCloud, elementaryOS… many projects are present on this platform.