Skip to content

Asterisk Bug Bounties

I want to offer a bounty for a particular bug! Where can I do that?

Bug bounties for Asterisk may be posted on the Asterisk Development mailing list at https://groups.io/g/asterisk-dev

Minimum offer: $500

Bounty offers may be made for both new features and bug fixes.

The lower limit of $500 is to discourage pointless offers. "I'll offer $20 for 50 hours of work on this super complex bug!"

It would be helpful if those posting a bounty add "[BOUNTY]" to the subject line of the post, thus allowing subscribers to the list to filter.

If an Asterisk issue is present for the new feature or bug fix on the Asterisk issue tracker the "bounty" label can be added to it to allow easy searching. A comment should also be added stating the details and offer.

What is a bug bounty?

It is the case that some corporate users of Asterisk will pay you hard cash for your work on developing patches and bug fixes. Often, there are reasons that a firm can't or won't fix/patch Asterisk internally, and wants to outsource that work to the larger Asterisk community. The Asterisk community wins whenever a bounty bug is resolved because everyone benefits from that work. The company sponsoring the bounty wins, because their specific problem is fixed. And, of course, the programmer wins because they're paid.

Warning

Bounty arrangements are made between the sponsor and the programmer, and are NOT via Digium or any other third-party middleman. Payment terms, guarantees, etc. etc. are the problem of the two parties (programmer and bounty sponsor) and the bugtracker simply permits an open forum for discussion of the problems and for the bounty.

But what about ... ?

If the author has signed a contributor license agreement, and the patch is in the bugtracker, it's considered fair game to be included in the version of Asterisk that Digium maintains. These patches follow the same licensing rules as everything else for Asterisk that is submitted to the bug tracker.

If there are multiple resolutions to a bounty, it is the sponsor's sole discretion to award the payment or not. All bug reports that are bounty oriented will be public and GPL, and we will actively discourage/delete non-GPL arrangements that are based on bug reports in the open-community bugtracker (i.e.: you will incur the wrath of the bug marshal posse.)

This was discussed on the dev list in Jan 2013: http://lists.digium.com/pipermail/asterisk-dev/2013-January/058351.html

Finding bug bounties

The legacy archives of the Asterisk Development mailing list located at http://lists.digium.com/pipermail/asterisk-dev/ can be used to locate old bug bounties.

Current Asterisk Development mailing list archives are located at https://groups.io/g/asterisk-dev/.