The #curl security ream consists of seven team members. I encourage the others to also chime in to back me up (so that we do right). Every report thus engages 3-4 persons. Perhaps for 30 minutes, sometimes up to an hour or three. Each.
I personally spend an insane amount of time on curl already, wasting three hours still leaves a lot of time for other things. My fellows are not full time on curl. They might only have three hours per week for curl.
Times eight the last week.
Stefan Eissing
in reply to daniel:// stenberg:// • • •While the STA pays for most of my hours this year, that time would be better spend on something else than AI slop.
In addition, these reports (subjectively) happen more on weekends and are disruptive in their nature. Not a fan.
Unless H1 comes up with a scheme to improve quality, I fail to see an alternative to dropping the monetary rewards.
Maxime Thiebaut
in reply to Stefan Eissing • • •daniel:// stenberg://
in reply to Maxime Thiebaut • • •@0xThiebaut @icing sure, it would. But we also would stop legit reports and such infra for handling money doesn't exist. And as an Open Source project trying to be as open and accessible as possible it would be a loss I think.
I honestly think dropping the rewards completely might be better.
Maxime Thiebaut
in reply to daniel:// stenberg:// • • •@0xThiebaut @icing Replacing them with merch might be as good, cURL is a neat place to find bugs in.
I’d also be happy to volunteer for L1 triage of bugs should they keep coming in the future. Reports where cURL works as intended are quite easy to triage.