Mozilla expands bug bounty program and triples payouts for flaw finders for hire
But the big money's in Huawei's new (invite only) program
Mozilla has decided to celebrate the 15th anniversary of its Firefox browser by expanding its bug bounty program to cover a range of new sites and services, and – get this – triple its maximum payout.
So if you manage to fix a remote code execution bug in Firefox or some of Mozilla's lesser-known services such as its payment subscription service, VPN, localization, code management tools, speech recognition, and so on – you could walk away with $15,000. Subject to all the usual caveats.
The decision brings Mozilla to the bottom end of the rest of the industry when it comes to rewarding security researchers for finding security holes. For example, Yahoo! – remember them? – offers up to $15,000 if you find any holes in… whatever Yahoo! does these days. Snapchat likewise.
But Mozilla's rewards are still some way from the other tech giants. Intel, for example, offers anywhere between $500 and $100,000 depending on severity (side channel, anyone?). That is beaten by Microsoft, which offers up to $300,000 – and a minimum of $15,000.
Dropbox will go up to $33,000; Twitter maxes out at $20,000; Facebook doesn't give a maximum because it's Facebook and it never does anything wrong anyway. Google, meanwhile, will give you $150,000 if you can crack ChromeOS in guest mode.
But wait! What's this? Huawei has also jumped into the bug bounty game and has conspicuously offered more than Google to find a hole in its mobile phones.
In a not-so-subtle poke at the US government, which continues to declare that the Chinese manufacturer is a national security risk, Huawei has said it will pay out $220,000 for a critical vulnerability in one of its Android devices (Mate, P, Nova, Y9 and Honor) and up to $110,000 for a high-severity spot. Google offers $200,000 and $100,000 respectively.
Top of the bug bounty heap, however, is Apple, which earlier this year upped its maximum $200,000 payout to a tasty $1m if you can figure out how to hack an iPhone without requiring someone to click – or tap – something. If you stumble on a network attack that doesn't require user interaction, you could be looking at a healthy $500,000 with a 50 per cent bonus if the bug is spotted in beta software.
Fancy buying a compact and bijou cardboard box home in a San Francisco alley? This $2.5m Android bounty will get you nearly thereREAD MORE
But, of course, the average payout is what really counts for people who decide to spend some of their time using their technical know-how to probe companies' software. And it ain't great: across all the tech companies the average is fairly low.
Regardless, Mozilla's decision, despite being a nonprofit, to up its bug bounty to fit with the rest of the market is a sign of two things: one, that bug hunting is in a relatively healthy state where it is worth a company's while to follow the market; and second, that Mozilla appears to be making a big push to try to get more users onto its services.
Last month, the latest version of Firefox was released and the company has started pushing its privacy-friendly features – called Enhanced Tracking Protection (ETP) – as a key differentiator between it and, well, Chrome.
If it is going to make that privacy distinction stick, Mozilla better make sure that its new technology isn't riddled with bugs that enables attackers to do the opposite and grab people's personal data. Hence the beefed-up bug bounty.
Also worth reflecting on the fact it has been 15 years since Firefox 1.0 came out. And how much Internet Explorer sucked – in large part because it was full of security holes. ®