> Approximately 95% of the engineering work was done by Lyapsus. Lyapsus improved an incomplete kernel driver, wrote new kernel codecs and side-codecs, and contributed much more. I want to emphasize his incredible kindness and dedication to solving this issue. He is the primary force behind this fix, and without him, it would never have been possible.
> I (Nadim Kobeissi) conducted the initial investigation that identified the missing components needed for audio to work on the 16IAX10H on Linux. Building on what I learned from Lyapsus's work, I helped debug and clean up his kernel code, tested it, and made minor improvements. I also contributed the solution to the volume control issue documented in Step 8, and wrote this guide.
> Sincere thanks to everyone who pledged a reward for solving this problem. The reward goes to Lyapsus.
More generally, software is really, really expensive to produce and maintain. The economics only work at scale, in particular for B2C. (Maybe AI will change that, if it becomes more reliable.)
You generally only need multiple people for timely action, and it usually even slows you down (from the perspective of total hours spent)
Like 2k bug bounty? I guarantee you some people would be willing to spend a lot of time for that. But yeah, people which are gainfully employed and have a decent salary - likely not.
Which is, in order for some rando to fix the bug; a company would need to give access to their codebase to some rando.
And they don't wanna do that.
Imagine FAANG assigning $500 per engineer per year to allocate to feature / bug bounties.
That potential for failure is there for any "subcontractors". I wonder if anyone has any stats on this.
Bounties for security holes make sense because you don’t need to submit the patch, just find the hole.
And bounties for open source (like in this case) also make sense because you have everything you need to submit a patch.
But for everything else (like big tech, startups, and so on) bounties can’t fix bugs because even if I find a bug, how am I going to patch it without access to the source code? How can someone submit a patch to Netflix or whatever?
IME your average SV startup has a long list of bugs they are aware of, but just haven’t gotten around to fixing because other priorities are in the way. But people can’t help patch unless you have an open development process.
Am I missing something?
In all of those cases users/players were able to fix bugs and add desired functionality (mostly) independently, on a closed-source program.
For industrial software you don't see as much, even though arguably cracks (to skip license check) qualify here.
The parent seems to be talking about the companies using bug bounties as a way to fix bugs in their software and the fixes becoming part of that software (not a separate mod run on top).
That's how. Bethesda put a mod manager in Skyrim and works with some of the developers, they distribute fixes as game patches, you can distribute yours as "mods" or let them repackage it into an official patch or the next update.
I guess maybe it could apply to some niche cases of locally run software like photoshop, though I’d be be shocked if the marginal gains of a bug bounty program could justify the massive cost of implementing a mod system like this for photoshop.
But the fact is that most software in the world doesn’t work like Skyrim. Large parts of most software runs on servers or on locked down mobile operating systems where modding systems are not possible.
What you are proposing kind of already exists for web frontends in the form of browser extensions, but having worked on several apps for which an ecosystem of browser extensions sprung up, my experience is that there is no simple way to port these features to the main product. For security and QA, every line of code needs to be vetted anyway, and then “translated” into a form appropriate for the existing code base. At most, they just validate demand for a feature or bug fix.
That's literally the issue, management by KPI frameworks
How many companies have Teams for basically free with their 365 license but still pay for Slack? The marginal value of Teams is nearly zero.
It shows unread messages for a chat that has the focus and the “unread” message is visible.
When using the keyboard shortcut to create a new message (Command-N) it drops the first character of the recipient unless I introduce a noticeable delay between shortcut and recipient.
I’m sure I have more, but these are just from memory.
There is also just feature jank like for instance you cannot have two instances open at the same time if you have two organisations that you work for, you have to switch constantly. This is a disaster for any consultants or contractors who are placed in-org on teams.
The calendar space for an all day event takes up a sliver of space on the calendar, meaning people will often instead schedule an event for 9-5 or worst case 12-12 hours so it's not missable on the calendar easily etc...
It has to be good enough that other options are not worth the hassle to switch over to, for enterprise customers. The quality doesn't matter in the slightest, because making it 5-10% better would cost double or triple.
Where quality does matter for these customers, backward compatibility, Microsoft does pretty well.
The above back of envelope maths ignores the overheads of interacting with the people who posted the bounties to get them to agree to pay up, and of the cost overruns on the class of bugs that look like two day fixes but take two weeks.
(And it's just a placeholder. $200k seems like it's at least in the direction of the right ballpark.)
I've seen similar but less extreme examples play out in the private sector. 16 year senior architect making less than freshly hired software dev that was just an intern within the same company. Software developer pay is largely based on what you're demanding. In a lot of companies, there is a wide range of pay for folks doing literally the same job. They will hire a dev at $180k because that dev wouldn't go lower and turn around and push back to get another dev at $120k for the same level of unproven experience.
You have to keep finding clients (I'm sure it's easy now, will it always?) and pay all your expenses.
the 60k buffer probably just covers the salaries of the multiple layers of management and facilities (building, cleaning...)
Makes StarBucks barista pay look good…
Of course, if they can churn this out closer to 2 days, maybe there is something there.
Such a talented person would probably prefer a more certain and higher income.
I think the real blockers are the legal implications of reverse engineering.
Well, this would imply broken software. You already payed for the software, now you are required to pay to get bugs fixed? Bad optics, although not beyond contemporary sentiments... Inherently shady incentives: https://en.wikipedia.org/wiki/Perverse_incentive
This kinda only works best for FOSS, incentivizing external devs IMO.
After about a hundred back-and-forths getting the guy with the actual hardware to try different commands, I was thinking to myself man, maybe he should just give him remote access to work on the target PC, this is torture for both of them. And then I see him comment:
> Honestly I'm thinking of this and maybe something insane like organizing ssh access or something to quit torturing Nadim with building and rebooting all the time
And Nadim replies:
> Haha, sorry, but there's no way I'm giving you SSH access!
> I’m fine with continuing with tests!
Which is fair enough! But was funny to see right when I was thinking the same thing. Great perseverance from both of them.
Was slightly disappointing they they moved off GitHub to Discord eventually so after all that, we miss the moment of them actually getting it working!
Good suggestion, but I discovered that React was not able to fix my Linux kernel, either, for some reason.
Hal3000: "Great request—here is your React version 20XX* TODO list"
*20XX is a year+ old version of React
https://words.filippo.io/claude-debugging/
https://dmitrybrant.com/2025/09/07/using-claude-code-to-mode...
You either fix a driver in the kernel or a driver outside the kernel, it's not going to make that big of a difference to the person who has to fix it.
For driver developers the above where you rebuild the kernel is a necessary step in developing the driver but now the above is done someone should make the trivial next step to make this into a prebuilt kernel module which are trivial to install for end users with no rebuild/reboot required. (I have built kernel modules before but I don’t have this laptop myself, sorry!).
I don’t have this laptop but have built kernel modules in the past to give context. It’s a tiny step to publish this as a kernel module so end users can trivially install this (this reduces the instructions to downloading one file, running one command, with no reboot or rebuild needed) so it’s quite reasonable to call this out and ask someone to do it.
It’s a bit like publishing a windows driver as raw source code. Great work but there’s no reason not to ship the prebuilt driver right?
I’ve literally written kernel modules for high speed networking devices that have full access to the memory bus and enumerate pci devices. There’s no userspace or kernel space question here. It’s merely a matter of someone turning this into an easily installable kernel module
As someone who actually writes drivers I'm a little frustrated at this whole thread with people claiming Linux drivers have to be distributed this way.
Kernel modules exist for a reason, literally to allow end users as easy and as forwards compatible of a way to install drivers as windows dll based drivers. This whole thread has a lot of know nothings chiming in if I'm blunt.
I don't think you have to be the original developer to create packages one can distribute. Go for it!
From TFA:
> This guide is currently for Linux kernel version 6.17.8. It will be updated for future kernel versions as they are released, until the fix is fully integrated into the kernel.
So it sounds like the plan is to get it into the mainline kernel, at which point it will get to all the distributions. So I sent see the problem here.
I have a couple old-ish Samsung Galaxy Book x86 tablets that have a similar issue, that I have never quite goaded myself into trying to reverse engineer. I'd love some better material on trying to reverse engineer windows drivers: presumably maybe running windows in qemu with some kind of intercepting pass through?
I'm not willing to pay $1000 for a fix (it's easier for me to buy a new laptop that will work with Linux), but $100 is probably okay. :)
It's funny, but for as long as I can remember Linux (20+ years), there have always been some problems with sound.
On the plus side, if the built in speakers never work, the computer won't make noise unless you've plugged in something which is a nice feature.
I remember going for the highest paying bounty in the Ethereum VM several years ago (I think it was ~$400 DAI/SAI). I did it because I wanted to force myself to learn the internals and to see for myself if the bounty system works. I think I spent a few weeks debugging and ended up splitting the bounty.
As long as the user-facing issues are disconnected from the technical issues, it's going to be hard to get the true value.
It seems like there's a lot of personal information being asked for / thrown around... including a debit/credit card number?
Is there no better way to handle the bounty payment?
Lenovo may not be as friendly as IBM to its opensource.
Also, Lenovo Legion Pro 7* are not cheap (not that this would have been justified for cheap laptops).
Shame on Lenovo/<big company> who should have fixed this years ago.
Outsourcing this work to outside developers on the regular probably would make the media claim something like "Lenovo is too lazy to pay their people to make their speakers work so they make strangers on the internet do it instead" which isn't half false.
It'd probably be better and cheaper if they'd just hire someone to make their speakers work on Linux.
Are they stupid or is just all a big lie?
Still, I didn't expect this amount of custom configuration for my new laptop. Most importantly Bluetooth sound and getting Nvidia driver support. For Bluetooth I ended up writing my own tiny daemon. While driver support exists there seems to be a race condition somewhere between Pipewire, systemd and the bluetooth drivers. And for Nvidia drivers I ended up using the CUDA driver repository which is curiously only available for Debian 12.
andix•2mo ago