Maintainers III: Policy, Practice, and Care

In 1995, Netscape launched a then-novel idea: a program that paid users for flaws they discovered in the most recent version of their Netscape Navigator web browser. Over the next two decades, “bug bounty” programs, as they are known, became commonplace: Google, Microsoft, Facebook, Starbucks, the Department of Defense, and hundreds of other organizations now routinely purchase flaws from thousands of individual security researchers across the globe. What was once radical is now typical: Bounty programs are a key way of organizing the work of software maintenance. The market for bugs alternately blurs, complements, and challenges other maintenance models (including open source and proprietary models). This paper offers a critical examination of how the market for bugs (partially) reorders the work of identifying and fixing flaws: It identifies how the invention of the market at once creates new forms of economic, legal, and technical precarity and new spaces for investigation, collaboration, and opportunity; and it analyzes the various social strategies that security researchers use to navigate and create stability within the market. The paper is based on data collected through ethnographic observation and indepth interviews with security researchers and other participants in bug bounty programs. As bounty programs become a de facto way of organizing and managing software maintenance (and are proposed as a balm for other sociotechnical flaws and failings), understanding what the market means for infrastructure labor is vital. This paper reports initial findings from an ongoing research project sponsored by Data & Society Research Institute and the National Science Foundation.