Comment by pm215

Comment by pm215 9 hours ago

10 replies

View on Hacker News

For small stuff, the cost is just going to be too much for people to want to pay it. This bug had a $1900 bounty attached. Let's put the cost of one software engineer (salary plus overheads) at $200,000 a year, which I think is an underestimate. That's $3850 a week, so unless your bug can definitely be fixed (including getting any necessary hardware, investigation, fixing, code review overhead, etc) in two or three days it doesn't pay. And if it could obviously be done in two days then it's likely somebody would have already done that.

The above back of envelope maths ignores the overheads of interacting with the people who posted the bounties to get them to agree to pay up, and of the cost overruns on the class of bugs that look like two day fixes but take two weeks.

jusssi 8 hours ago

$200k is one expensive software engineer. On average, you can get people to work for much less.

Reply View 4 replies
  • pm215 8 hours ago

    I assumed the commonly cited 2x markup, so that would be a $100k salary, which is less than various websites say is the average US software dev salary. You could probably find cheaper elsewhere in the world, but even if you cut the salary in half that's still "bug must be doable in a week", which isn't going to cover many of the bugs people will care about.

    Reply View 0 replies
  • ssl-3 8 hours ago

    I believe that the $200k figure was meant to express what such a person might cost the company, not what that person would be paid as salary.

    (And it's just a placeholder. $200k seems like it's at least in the direction of the right ballpark.)

    Reply View 0 replies
  • tstrimple 6 hours ago

    Paying for software developers is really weird. State governments for example struggle to pay for a FTE that makes $140k. But they can pay me over $200/hour for consulting services for multiple years. The technical FTE employees that they have generally aren't qualified to evaluate their consulting needs so you get multi-million dollar contracts with very little actual oversight. I was really impressed with the folks I was working with at this particular state government and looked into what it would look like if I joined them full time as a FTE technology leader. I would have to take almost a 50% pay cut. The top senior IT position that oversees all of the state resources makes 70% of what I do. It's crazy. Unless you're working in medicine or sports, government pay sucks.

    I've seen similar but less extreme examples play out in the private sector. 16 year senior architect making less than freshly hired software dev that was just an intern within the same company. Software developer pay is largely based on what you're demanding. In a lot of companies, there is a wide range of pay for folks doing literally the same job. They will hire a dev at $180k because that dev wouldn't go lower and turn around and push back to get another dev at $120k for the same level of unproven experience.

    Reply View 1 reply
    • mlrtime an hour ago

      They give up pay for guaranteed work and benefits, maybe a pension? Most likely little risk of being fired or laid off.

      You have to keep finding clients (I'm sure it's easy now, will it always?) and pay all your expenses.

      Reply View 0 replies
mrbombastic 8 hours ago

200k is a fairly high salaried software eng in expensive markets, a bounty program like this would be open worldwide and many people would be willing to work for a fraction of that, quality control is another concern but take a look at prices on sites like upwork and bids for this type of work and realize 200k is nowhere near the lower baseline.

Reply View 2 replies
  • vel0city 7 hours ago

    $200k in cost to the company is a lot different than $200k in salary. It probably relates to someone making like $140k, depending on the various tax rates.

    Reply View 1 reply
    • dahcryn 7 hours ago

      also, don't forget to include QA and release management overhead, as well as projectmanagement etc...

      the 60k buffer probably just covers the salaries of the multiple layers of management and facilities (building, cleaning...)

      Reply View 0 replies
amelius 8 hours ago

You are forgetting that typically many users want a bug fixed.

Reply View 0 replies
rowanG077 8 hours ago

$200k is on the extreme high-end of software engineers. For example in eastern europe $30k is normal. And that's not even the floor. You can go to india or africa to get even cheaper. The problem with this bug bounty though is that it requires pretty rare expertise. It's not a "throw any developer at it" type of thing.

Reply View 0 replies