Sam Gentle.com

Personal bug bounty

5 pentadollar cheque from the bank of Sans Vergogne

It's common these days for large internet companies to have bug bounties, which are paid out if you find vulnerabilities in their software. The idea is that people are incentivised to look for vulnerabilities and report them when they find them. They can (and in many cases do) hire their own security professionals, but even so there is a lot to gain from having a larger pool of people testing your site, and encouraging them to report anything that slips through the cracks.

As far as I can tell, the practice started with Donald Knuth, whose reward checks of $2.56 for errors in his books have something of a cult status. Errors in his software, on the other hand, are given the higher value of $327.68, which reached its peak after doubling ever year for 15 years since release. Knuth doesn't have corporate-level money to throw at this problem, so $327.68 per bug is a substantial bet on the quality of his software.

In the context of testing your life, this leads me to a pretty interesting idea. Why not have a personal bug bounty program? It could provide a lot of the same benefits as the software equivalent. It's usually considered kinda gauche to point out someone's flaws unprompted, so this would incentivise speaking up. What's more, it would encourage people you interact with to actively consider your behaviour more critically and look for ways you could improve. It's basically recruiting the collective wisdom of your network to help you improve.

Of course, you'd have to be a bit careful about how you do it. Maybe people would point out issues you already know about, or things you don't consider to be issues. Some of the issues might be too vague to be useful. People might even report lots of trivial problems that aren't really a priority. The thing is, though, these are all common problems that software bug bounties have to deal with, and it's still a net positive for them. So why wouldn't it be a net positive for you?

To put my (literal) money where my (figurative) mouth is, I'm going to run a pilot personal bug bounty. If you find an aspect of my behaviour or decisions that's holding me back, I don't already know about it, and you can describe it in a way that is specific and actionable, I'll send you $5 AUD. By specific and actionable I mean something like "you waste too much time on the internet", not "you aren't achieving your goals enough". I'm looking for a problem that lends itself to a solution. If it also comes with a solution, so much the better, but the main thing is that it describes the problem well.

Obviously there's a certain degree of good faith involved – I could just pretend nothing is a problem. That said, the nominal value is pretty small, so I don't have much financial incentive to cheat. I might have a personal incentive if I'm stubborn or don't want to admit problems. That said, so far I've shown a certain willingness to own up to failures, so in practice I think it will be fine. I will hedge slightly by saying that if I somehow start getting more reports than I can financially handle I might stop the experiment to save my poor wallet.

So if you have any good criticism and want some of that sweet bug bounty gold, email me on anything at this domain.