Feeds

Mozilla to pay bounty on bugs

Wanted: Dead or alive

  • alert
  • submit to reddit

Remote control for virtualized desktops

Users who identify and report serious security vulnerabilities involving Mozilla are to be rewarded for finding bugs in the open source Web browser software.

The Mozilla Security Bug Bounty Program, launched yesterday, promises a reward of $500 to anyone who finds a "critical" security bug in Mozilla. What constitutes critical will be judged by the Mozilla Foundation staff. Linux software developer Linspire and Mark entrepreneur Shuttleworth have issued seed funding to support the initiative, to be supplemented by donations from Mozilla supporters. The first $5,000 in community contributions will be matched dollar-for-dollar by Shuttleworth.

Mozilla already has a good record of promptly fixing any security problems that arise. The Mozilla Security Bug Bounty Program seeks to further encourage the community's focus on security consciousness and responsiveness. The level of reward has been pitched quite low - if somebody found an exploit they'd doubtless make more money via security firm iDefense's controversial vulnerability contributor program - but that's not really the point. The Mozilla program is probably best viewed as a symbolic gesture of thanks to those who take the trouble to find and report bugs than as a way of providing a financial incentive to expand the number of people looking for problems involving Mozilla.

"This program reflects our commitment to protecting consumers from malicious actors," said Mitchell Baker, President of the Mozilla Foundation. "Recent events illustrate the need for this type of commitment. While no software is immune from security vulnerabilities, bugs in open source projects are often identified and fixed more quickly. The Security Bug Bounty Program will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers [crackers]."

Users who identify security bugs in Mozilla software are encouraged to go to Mozilla.org/security, which links to more information about which flaws are eligible and how to claim the bounty. ®

Related stories

Mozilla takes bite out of IE
Mozilla bug rears its head
CERT recommends anything but IE
Long-awaited IE patch (finally) arrives
MS posts $250,000 MyDoom worm bounty
MS' anti-virus bounty success
Computer Security: a handbook for the ordinary user (book review)

Secure remote control for conventional and virtual desktops

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.