> And it’s easy to fix - sponsor a contributor. It’d be cheaper than the many meetings that were needed to make the removal decision.

I don't think that's how it works. I mean, how many problems did you ever fixed by dictating how others should spend their own money?

Also, apparently some of these issues exist for over a decade. That alone tells you how serious the problem is, and how urgent it needs fixing.

> Also, apparently some of these issues exist for over a decade. That alone tells you how serious the problem is

The "serious problem" is that they've known about bugs for 20 years and not committed resources to fix it. The problem is the money.

> The "serious problem" is that they've known about bugs for 20 years and not committed resources to fix it. The problem is the money.

Who is "they"? Project maintainers? Project users? You?

> The problem is the money.

So this is a project that didn't require any funding for decades in order to exist. Explain exactly why you believe money is an issue.

I misunderstood and thought this was a google sponsored project and not an open bug bounty.

Even still, you're responding in a thread about someone who is trying to do legitimate work on this project and google is not honoring the bug bounty system.

A problem google could fix if they just assigned someone to manually review the case, it would take like 15 minutes.

I'm just saying they've got a bug bounty program but not a bug prevention bounty program, or even a fix a known bug bounty program. The security team has a budget for the realized risks but predictably not for managing unrealized risk in the open source community which they depend on.

> a bug prevention bounty program

Particularly for a dep they've chosen to ship in their browser.