One of the great wonders of our networked society is how many different types of software work in concert with each other constantly. They are developed by different people, at different times, for different purposes. The more complex the program, the more likely that it is itself composed of many more pieces of software.

The downside is that software is bound to break (or be broken) through interactions with others. Most code is in constant need of tuning and updating, and failure to do so can put users at risk. Black markets for buying and selling security vulnerabilities are thriving, and the race for software owners to patch “bugs” is intense.

Even big corporations like Google, Facebook and PayPal make parts of their code “open source” to increase the potential number of people who can help identify problems. They lure developers by offering money or recognition through so called bug bounty programs.

Don Marti, an open source participation strategist for Mozilla based in San Francisco says the bounty system has helped by paying some people to report problems, and that improving on market designs could eventually even make it core to the software business.

Don Marti, 2016. Photo by Don Marti, (CC-BY-SA 4.0).

Bounties are great for reporting security issues, but tying bounties to more complex open source development processes is harder. Figuring out who deserves credit for fixing bugs or what type of remuneration is owed for partial fixes, triage or code review is complex and costly.

And so, incentives to do high quality, collaborative, open-source work are often weak and don’t scale well, even as peer production systems may be the best opportunity to stop the world from being hacked as more big and small companies churn out software that hits the market before it’s truly ready.

What’s the solution? Marti is part of a team with Harvard PhD researcher Malvika Rao that is developing a new “futures market” system for bugs that they hope could be part of the answer. It’s called Project Bugmark and is a supercharged combination of open source development and high finance: open, decentralized, collaborative and running on blockchain.

Project Bugmark will make use of “smart contracts” (the operating logic of blockchain transactions) to enable anyone to “invest” in solving the entire or partial problem, and be paid in the future upon completion of the job. Contracts for bugs can also be sold and traded openly, creating new monetary opportunities and incentives to get more people involved in the work.

“Open source has the economic advantage of letting people self-select the tasks that are important to them, and on which they can be most productive,” says Marti, but he insists that financial incentives can help make peer production sustainable in an economy where talented developers are hired away by startups, or burning out by volunteering on open source work.

“I keep hearing: this would be great if it works.’ The challenge now is to get a solid implementation and publish some results,” says Marti. While expensive as a computing system energy-wise, Marti believes the public ledger of transactions on the blockchain will build trust, and have the added bonus of enabling people to contribute anonymously and perhaps even encourage more diversity in the open source community by allowing the work to speak for itself.

Project Bugmark is supported by several companies, including Mozilla, Mountain View Smart Contracts and Rao’s new company, Incentives Research, in Canada. The project launched in December 2017 and is conducting experiments, trading with Ethereum.