Feeds

Mozilla sextuples bug bounty to $3,000

Firefox and hounds

Providing a secure and efficient Helpdesk

Mozilla has increased the bug bounty it pays security researchers sixfold to $3,000.

The move is designed to enlist more interest and support from flaw finders in the task of locating flaws in the code of Firefox and other software applications from Mozilla. Previously payments for eligible flaws in Firefox and Thunderbird earned just $500, under a bug bounty program first launched six years ago.

Eligible flaws need to be both critical and remotely exploitable. Payments are restricted to original security discoveries and exclude flaws in third-party plug-ins or browser extensions, however serious they might be. In addition, the scheme has been extended to cover vulnerabilities in Mozilla Mobile as well as Firefox and Thunderbird.

"For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug," explained Lucas Adamski, director of security engineering at Mozilla, in a blog post. "A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information."

Mozilla's FAQ on its bug bounty program can be found here.

Google has also established a bug bounty program, offering $500 for run-of-the-mill flaws and a leet-friendly $1,337 for critical or particularly interesting flaws in Chromium, the open source code behind its Chrome web browser.

TippingPoint's Zero Day Initiative and VeriSign's iDefense have bought vulnerabilities from researchers for some years. Payments vary but tend to top out at around $10,000. The firms use the information to add signatures to its line of intrusion prevention appliances, in the case of TippingPoint, or security services informed by early warning of upcoming security problems, in the case of VeriSign.

While marketplaces for security research potentially offer higher returns there's still scope for programs from vendors that compensate security researchers for the time and effort needed for the tricky and skilled business of identifying and reporting software vulnerabilities. ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.