Mozilla doubles bug bounties to $10k

Foxing the holes in the code

Mozilla has more than doubled the cash rewards under its dusty bug bounty to beyond $10,000.

The browser baron has increased the reward for high-severity bugs such as those leading to remote code execution without requiring other vulnerabilities.

Engineer Raymond Forbes says the bounty had not been updated in five years and had fallen out of step.

"The amount awarded was increased to $3000 five years ago and it is definitely time for this to be increased again," Forbes says.

"We have dramatically increased the amount of money that a vulnerability is worth [and] we are moving to a variable payout based on the quality of the bug report, the severity of the bug, and how clearly the vulnerability can be exploited.

"Finally, we looked into how we decide what vulnerability is worth a bounty award."

Mozilla previously awarded $3000 for critical vulnerabilities that could seriously endanger users. It paid small amounts for only some moderate vulnerabilities that will under the revamp now attract up to $2000.

The Firefox forger also launched its security bug hall of fame which is a common and important component of bug bounty programs, and will open a version for web and services.

Bug bounties are enjoying a boom of late with many large organisations opening in-house and outsourced programs to attract security vulnerability researchers.

The schemes promise to increase the security profile of organisations while providing hackers with an opportunity to practice their skills and earn cash or prizes without the threat of legal ramifications.

Programs must be properly set up prior to launch including clear security policies and contact details posted to an organisation's web site, and strong communication between IT staff and bug hunters.

Hackers will often drop unpatched vulnerabilities to the public domain if an organisation fails to respond or refuses to fix the bugs. ®




Biting the hand that feeds IT © 1998–2019