Bountysource Stole at Least $21,000 from Open Source Developers
I like open source. I like the idea of gifts to the commons. I like the idealism, this naïve belief that if we all do our part, we can make beautiful things together. Unfortunately, I’ve spent the past few months committed to profiling the open source community for this blog. Now, I know that I was stupid. In our culture, open source does not represent freedom. It represents an exploitive relationship, where wealth is brutally extracted from maintainers (I could keep going forever). And I can’t think of a better example than Bountysource. Why is nobody talking about this?
One of the core issues in open source is that there tends to be immense feelings of entitlement in downstream consumers. They have somehow convinced themselves that just by using your stuff, they deserve support. Obviously, this relationship is utterly broken. Bountysource promised to fix this issue, by enabling users to “fund” issues. Issues with higher funding would be prioritized by maintainers:
And so, the maintainer is empowered to demand compensation for their work, at long last.
Trouble in paradise
Bountysource grew and grew, permeating into all corners of open source. A brief survey of GitHub shows that 55,000 issues make reference to it, and the archives show triumphs for projects like Borgbackup, ElementaryOS, Nextcloud, and Nim. Bountysource represented a rising tide, but they could not avoid the allure of wealth.
In 2017, the project was purchased by the cryptocurrency company CanYa, and in 2020 it was sold to “The Blockchain Group”. Coincidently, around this time, the Bountysource project announced drastic changes to its terms of service, enabling them to steal unclaimed bounties after two years:
2.13 Bounty Time-Out.
If no Solution is accepted within two years after a Bounty is posted, then the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource. For Bounties posted before June 30, 2018, the Backer may redeploy their Bounty to a new Issue by contacting support@bountysource.com before July 1, 2020. If the Backer does not redeploy their Bounty by the deadline, the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource.
After backlash the company reversed course, and business continued as usual. There was barely any publicity hit.
While things seemed better, business continued at an agonizingly slow pace. GitHub issues show that at numerous moments in time, payments were left pending for months on end. Some developers claimed that as early as June 2023, their payouts amounting to thousands of dollars went ignored. Soon after, after showing signs of crisis, the company quietly announced bankruptcy in 2023, leaving tens of thousands of dollars left unpaid.
Casualties
There has been shockingly little discussion of this event. The community quietly accepted their loss, and the voices of developers who lost thousands of dollars were never amplified. This is but another sorrow of open source. It’s not unique in any type of way: open source developers were simply exploited once again, as is usual. Their sorrows were not given voice. I still don’t have much of a platform. I cannot give these maintainers the attention they deserve. But I need to try. Here are the known casualties of Bountysource:
| Project | Amount |
|---|---|
| NewPipe | $6000+ |
| FreeCAD | $4279.10 |
| Abdel | $4000 |
| Ryan Schultz | $3500 |
| parvit | $1100 |
| Davide Beatrici | $1000+ |
| abebeos | $1000 |
| abmyii | $200 |
| Jaap Marcus | $190 |
| PythonSwiftLink | $150 |
| Thomas Waldmann | $144 |
| Gordon N. Squash | $139 |
| Total | $21,702.1 |
This only accounts for the developers who had completed their work and were awaiting payment. It is likely that magnitudes more money was held in escrow, which has also been lost. This means that not only were the developers harmed — the few people who found it in their heart to donate were also scammed. Who knows how many more thousand dollars are still missing. For now, the man and the woman and their henchmen who stole from the FOSS community continue to run free.