In September 2023, Andrew Kelley published Bounties Damage Open Source Projects on the Zig language site. The argument was blunt: bounties attract the wrong contributors, distort priorities, corrode community motivation, and leave project finances in the hands of fragile intermediary platforms. At the time, some people pushed back. Two and a half years later, the retrospective is not kind to the skeptics.
The Bountysource collapse vindicates the platform risk concern alone. Bountysource was founded in 2012, one of the oldest bounty platforms in the ecosystem. It changed hands in 2017, then again in 2021 to ownership that turned out to be effectively opaque. By mid-2023, withdrawal requests were going unanswered. Contributors who had earned bounties could not access their money. Projects that had accumulated fundraising balances discovered those balances were inaccessible. Estimates put the affected funds in the tens to low hundreds of thousands of dollars. The platform went dark by late 2023, with no practical legal recourse for anyone involved. That is not a cautionary edge case; that is the predictable consequence of trusting an intermediary whose business model was always fragile.
But the platform risk is the least interesting part of the argument. Kelley’s deeper points are structural, and they hold up precisely because they are grounded in how human motivation actually works.
The Crowding Out Problem
The behavioral economics literature on this is substantial and consistent. Uri Gneezy and Aldo Rustichini published “A Fine Is a Price” in the Journal of Legal Studies in 2000. They studied Israeli daycare centers that began fining parents for late pickup. The result was the opposite of what rational actor models predict: late pickups increased. The fine converted a moral obligation into a market transaction. Parents who previously felt guilty about being late now simply paid the fee and felt nothing. The social norm was crowded out by the price signal. Crucially, when the fine was removed, the norm did not return. The damage was permanent.
Bruno Frey and Reto Jegen formalized the mechanism in “Motivation Crowding Theory” in 2001. External interventions crowd out intrinsic motivation when three conditions hold: the intervention is perceived as controlling, the person already had strong intrinsic motivation, and the reward is contingent on specific performance. Open source bounties satisfy all three. A contributor who was already excited about fixing a bug because it scratched an itch now encounters a bounty attached to that same bug. The frame shifts. Their participation is no longer about solving an interesting problem; it is about earning a payout. Edward Deci’s earlier self-determination research found the same pattern: contingent rewards undermine the autonomy and competence needs that sustain intrinsic motivation.
This is not a hypothetical concern for open source. The communities that produce high-quality software over long periods are, by and large, communities where participation feels meaningful independent of payment. When bounties are introduced, they do not add motivation on top of existing motivation; they replace one kind with another. And the transactional kind is worse for the work. Contributors optimized for collecting a bounty tend to submit the minimum viable patch that qualifies. Maintainers still have to do the conceptual work, evaluate the approach, and often substantially rewrite the submission. The contributor gets paid; the maintainer absorbs the unrewarded cost.
The Resource Allocation Problem
Kelley’s other core point is about who controls where the money goes. Bounties give that control to whoever posts the bounty, usually someone who wants a specific feature or fix, not someone with a comprehensive view of what the project actually needs. The unglamorous essential work never attracts bounties: CI maintenance, documentation, issue triage, review, dependency auditing, build system improvements. These are the activities that determine whether a project is sustainable, and they are systematically defunded by a bounty model that only rewards visible, completable tasks.
This connects to something Eric Raymond observed much earlier in “Homesteading the Noosphere” in 1998. Raymond described open source as a gift economy where status accrues from giving. That model works within bounded communities with dense social ties, where everyone knows each other and reputation is legible. As open source scaled globally through corporate supply chains, those conditions eroded. Bounties are an attempt to substitute market exchange for gift economy norms, but that substitution destroys the remaining norms without solving the funding problem. You lose the gift economy and do not get a functioning market in its place.
The Heartbleed vulnerability in 2014 illustrated the failure mode. OpenSSL, securing a substantial fraction of internet traffic, was maintained by roughly one full-time developer on approximately $2,000 per year in donations. The Linux Foundation’s Core Infrastructure Initiative response was significant: institutional funding for critical infrastructure. What it was not was a bounty program. The response to the gift economy failing at scale was to fund maintainers directly as stewards of infrastructure, not to marketize individual contributions.
What Actually Works
Every model that has demonstrably worked inverts the bounty structure in the same way: it returns resource allocation control to maintainers.
GitHub Sponsors, launched in 2019, funds people and projects rather than specific tasks. By 2023 it had paid out over $40 million. Sponsors give recurring money with no strings attached to particular features. Maintainers decide what to work on. Open Collective provides transparent finances and fiscal hosting, used by webpack, ESLint, Vue.js, and Babel, with the same principle: pooled funds under maintainer discretion. Tidelift sells enterprise subscriptions that fund maintainers for ongoing stewardship commitments, providing predictable recurring income rather than task-contingent payments.
The Sovereign Tech Fund, a German government initiative that treats open source as public infrastructure, has funded curl, OpenSSH, and GNOME. Daniel Stenberg, the curl maintainer, has said that Sovereign Tech Fund contracts were far more productive than years of Bountysource bounties. That comparison is precise and worth dwelling on: the same maintainer, the same project, two different funding mechanisms. One worked; one did not.
Security bug bounties are the genuine exception. Google’s Vulnerability Reward Program for Chromium works because the criteria are objective, the amounts compensate expert effort appropriately, finding security bugs does not require caring about architectural coherence, and security researchers already operate in a market context. The conditions that make bounties harmful for feature development simply do not apply to adversarial security research. These programs should not be generalized to the rest of open source.
The Pattern
Kelley’s argument was correct in September 2023. The Bountysource collapse has since provided concrete evidence for the platform risk concern. The behavioral economics literature provides the formal mechanism for why bounties corrode motivation even when the platform does not fail. And the contrast with working funding models clarifies the structural error: bounties transfer resource allocation authority away from the people best positioned to exercise it.
The sustainable path is funding maintainers to maintain, not funding tasks to be completed. That distinction is simple to state. It has taken the ecosystem a long time to act on it consistently, and it is still not acting on it consistently enough.