The goal was to create a framework through which people could safely test and report exploits. In addition, 4chan isn't in a financial position to dole out large bounties.
I think the Hall of Fame is worth more than the $20.
This is one of those cases where the $20 is probably worse than $0, though (even though it's non-cash). It's like "hey, friend, will you (help me move|have sex with me|etc)"; more likely to do it as a favor than when $20 is offered. Probably even more likely to do it for $1k than as a favor. $1000>0>$20.
I remember on one of the early StackOverflow podcasts that Joel very specifically wanted to stay away from any kind of monetary compensation for answering questions because as soon as somebody tries to do a $/time equivalency in their head the whole thing looks like a rip-off.
Much better to frame things as a way to show off to peers, help the community, etc.
When it comes to security vulnerabilities, hackers usually sell them to the highest bidder, which is why it's good for the highest bidder to be the bug bounty program. Recognition is nice, but money fixes problems.
I honestly don't think there are many situations where the highest bidder for a bug will be a bug bounty problem. Consider from a couple year's back when Vupen won Pwn2Own against Chrome, and Vupen refused to disclose, based on the commercial value of the exploits. The key quote (and I don't think he's exaggerating) is: “We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Thank you for the wonderful article! If anything, this is more evidence that money is more important than recognition, so bug bounty programs had better be lucrative.
It seems like if Google were to offer a $1M bug bounty tier, it'd be much more likely that Vupen's exploits would be discovered by someone else.
The Hall of Fame is the really worthwhile part, and has more value to most users than a small amount of cash. Perhaps something like Donald Knuth's reward cheques[1] for TeX bugs would be a better option?
The whole point of 4chan is anonymity, so being in the Hall of Fame is completely useless. In fact, your typical 4channer would probably prefer sheer lulz resulting from hacking 4chan to any monetary reward.
Sorry, I hope I didn't come across as being attackative. It just took a little digging for me to find the terms.
I totally understand that you can't offer a $1,000 bounty, you aren't Google or Facebook.
Would it be possible, however, to take donations (cryptocurrencies?) that can be used specifically for the bounties? I'd put in 50k DOGE towards that, and I'm sure others would too.
> wants people to pay for contributing to the site
The reason you feel against donations is because you probably have a negative psychological view of accepting help. You probably feel that you bother people when you want to ask them for free help in real life.
Well this mental block you have is not true to the world.
You should do what other good entrepreneurs do and stop putting your own limiting beliefs onto your non-profit business.
Why don't you open source your moderation panel, or at least release screenshots of it? 4chan has had a lot of beautiful code submitted by volunteers every year. It's a shame to keep it all locked up.
> All of our codebase ... has been closed-source from day one.
Yes. Why? The imageboard community is full of awful scripts. Yotsuba has a lot of really wonderful features. It would be great for the world if you were to release Yotsuba on Github or something.
I think moot was pondering why you were claiming there are many volunteer contributions to 4chan's code, when 4chan's code and tools have been closed source (i.e.: presumably in-house developed only) since the start.
This doesn't really answer the question how you know that "4chan has had a lot of beautiful code submitted by volunteers every year." when it's not open source?
Oh. I've been friends with several 4chan janitors/moderators over the years. But there's also occasionally leaked images of the software behind the scenes.
It seems to me it may just be that maintaining an open source project might be a little harder than maintaining something that is closed source simply because the maintainers can maintain it at their leisure, rather than having to deal with what comes with having a large open source project. 4chan is probably enough of a time sink for moot as it is.
Personally I believe 4chan seems like a good candidate for the MEAN stack. A lot of the features and boards could be coded as modules and it seems like it would be a lot easier to maintain, but of course this is mostly speculation. What might be cool is if 4chan/moot sanctioned an opensource project (or had a competition) to see if users could create a good open source "foundation" for 4chan and other image boards, then open sourced what was built off of that. I know 4chan has been "re-written" but I imagine some of the code is still original and I don't think any one expects it to be "professional quality" simply because it was written by someone who was (probably) completely new to web coding, so I can see why it may not make since to open source what they have already because it could lead to more bugs than it fixes.
Why do you think the 4chan source would be any less awful? If you're really curious you can look at the partial source that leaked a while back, but IIRC it's not exactly amazing. (I'm paranoid, so I won't link to it but it's trivial to find with Google.) Edit: Just saw that you've already seen it. Nonetheless, my other points still stand.
At any rate, I don't think we'll be seeing an open source release of the 4chan source in the near future. Obviously I don't know the specifics, but in my experience it seems like most purpose-built internal applications like the 4chan imageboard tend to be rather messy and filled with a lot of very specific code that's hard to repurpose for more general use. In order to release it publicly, the codebase has to be sanitized of private information, disentangled from any internal utilities or applications, refactored to remove ugly hacks that solve one-off problems (ex. legacy integration), and so on. Then they have to switch 4chan itself over to the new codebase if they ever hope to keep the public repo up to date. That's a lot of work for 4chan's volunteer labor force, on top of what they already have to expend to maintain the site.
There's also a good likelihood that the volunteers who contributed to the code have not done so in a way that would allow moot to release the source. I am not a lawyer so I can't speak confidently about this, but I'm pretty sure copyright is a major issue here. Unless every volunteer contributor has explicitly agreed to allow their code to be released or directly assigned copyright to moot, the first prerequisite to an FOSS release would probably be to get that permission from every contributor, both past and present. The present contributors may not be that hard to ask, but given the nature of 4chan I wouldn't be surprised if a few past volunteers have worked under personas they've since abandoned, effectively making them unreachable.
web development is not a static thing, wakaba is finished but maybe it would be better, using new concepts and technologies, etc... if it still actively developed.
I don't think he's poor by any stretch of the imagination. Correct me if I'm wrong, but the recent intrusion brought to light that something to the number of 12,000 passes have been bought? 12,000 x 20 = 240,000 Not a significant amount of money, but how much do you think his over head expenses are to run the service?
I can't imagine that it's more than $6,000 per month. Cloudflare's enterprise service is a flat $5,000 per month regardless of utilized bandwidth, and can be negotiated downward. The dedicated server hosting 4chan's code and UGC cannot cost much more than $1,000 per month.
I run a site with a slightly better alexa ranking than 4chan. I've read past 4chan blog entries so I know that the traffic demands are similar, and my own expenses average around $6,000 per month.
Venture capital for a separate business/entity != money for 4chan and/or myself personally. It's incredible how so many 4channers confuse the two and have a fundamental misunderstanding of VC...
Well, on the other hand I worked in a company which lived for about 14 years of such VC money. They never made profit and all VCs got mad. But I, as an employee, got paid a handsome amount of this money and I guess I'm not the only one.
So I can understand that some people think VC money is for the founders.
I think it would be a very good idea for moot to bite the bullet and pay for a moderately thorough security audit of 4chan's code.
This one-time investment would hopefully resolve most of the major/obvious security issues. Then the code could be open-sourced with moderate confidence that a million 0days would not be exploited instantly -- and the community can catch the obscure holes.
I have a feeling you could post the code on /b/ and find out about some vulnerabilities very quickly.
edit: On a more serious note, I've done some work with Palamida and been quite impressed. They can be pricey though. I know you're not keen to accept monetary donations, but I wonder if getting a reputable company to do it for free would work. I'm sure there's plenty of goodwill toward you in the technical community.
For each eligible vulnerability report, the reporter will receive:
* Recognition in our Hall of Fame.
* Either $20 in self-serve advertising credit valid for one year, or a 4chan Pass valid for one year ($20 value, subject to Terms of Use).