Mozilla Starts Bug Bounty Program

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."

microsoft

[pvt_medic]

if microsoft did this they go bankrupt in a week


obligatory jab at microsoft

Re:microsoft

[dsbaha]

That is assuming that they'll even recongize the problem!

Re:microsoft

[Negatyfus]

It's funny this has never happened to me.

Re:microsoft

Well, it's happened to me, and my gf, and quite a few others I got to switch (going from 0.8 to 0.9 seemed to bork on XP). (NB: I am not the same AC as above)

Re:microsoft

Doesn't this seem to be opposite of what the open source community is about? Now you're going to have people looking for bugs for money instead of people that are simply interested in creating better software. How long before there are discreetly placed advertisements in exchange for funding of projects?

Re:microsoft

Nonsense! Some bugs are completely non-random (from 1.2-1.7):
a) in mail: Generate a password dialog box. Press an arrow key before the dialog box appears. Nothing has focus.
b) select all in a textarea. paste something else into it. at best, the GUI corrupts, at worst, cpu usage spikes to 99%
c) nice support for alpha channels. now do it the W3C way...

Re:microsoft

I am sure Mozzila is as vuneravle as any Micro-softs ,But this could not be testified unless it grows as big as Bill Gates.

The difference between mozilla.org and Microsoft

mozilla.org offers a $500 bounty for discovering "critical" security holes, while Mircosoft offers a $250,000 bounty for catching virus authors.

great idea

[dieyack]

I think this is a great idea, and that it will help mozilla become a lot more secure (and pretty fast I might add)

Re:great idea

[tiger99]

Yes, I would agree with that. Did you notice how quickly the last Mozilla hole was fixed, and how small, in fact tiny (1kb), the download was to fix it?

I have used Mozilla, and before it, Netscape for almost all browsing for a long time now, and simply do not get the problems that IE users get.

Re:great idea

[PastaLover]

If you're talking about the shell: thingie, that was actually a windows problem, not a mozilla one.

I do agree though that bugs in mozilla sometimes seem to take awfully long to fix. No use in finding the bugs and then letting them hang for a while...

I wonder if he's kicking himself...

[NoMercy]

A few days ago you might remember someone who created an article on the vunribilities of a fake browser being made in a empty window using XUL...

Guess he's 500 dolars down for blowing the whistle a week early :)

Re:I wonder if he's kicking himself...

The initial bug report was made almost three years ago, marked confidential, and ignored. He was far too late to claim the bounty on that particular bug.

Re:I wonder if he's kicking himself...

Not even close to critical bug.

Re:I wonder if he's kicking himself...

The "bug" was known for 5 years. It's not so much of a bug as it is an exploit though. That being said there are several defaults that definitely need to be changed. I'm glad they're starting a program like this, it's bound to make mozilla a more secure package overall. If for no other reason than if a bug is found it'll be reported rather than hidden and used for malicious purposes later on.

Re:I wonder if he's kicking himself...

[netsharc]

So will that be the case for each new bug?

"I found an exploit! Gimme money!"

"Oh, we had that 3 years ago, but it was confidential, here take a look at our DB. *snickers*."

Re:I wonder if he's kicking himself...

Moz will have to pay more for bugs than $agency pays right now for this to be worthwhile to me. I got about six times that for the one-line Mozmail exploit simply because a lot of admins use Mozilla for security. Oh, the irony.

Re:I wonder if he's kicking himself...

[CTho9305]

It was ignored largely because a nearly-as-convincing fake can be created with DHTML, so blocking XUL doesn't add any real security. How many people really use different themes (so the DHTML fake would look wrong)?

Re:I wonder if he's kicking himself...

[jesser]

No, it was ignored largely because the only real solution (make part of the browser UI unspoofable by making it always-visible) would break some web apps.

In Other News...

Microsoft puts bounty $5,000 on head of anyone uncovering IE security flaws.

Re:In Other News...

Bounty on HEAD? What, so Instead of paying me 5000 dollars, they pay a bounty hunter 5000 to bring me in so they can beat me with a leather strap for finding a flaw? sounds fun ;)

Re:In Other News...

[Patik]

Nope, it's $250,000.

Anyone know a Mozilla programmer?

[jsimon12]

Cause we could go ahead and program ourselves a couple new minivans this evening ;) (yes I know Wally from Dilbert said it before I did, but this just seemed like the perfect time to use it)

Re:Anyone know a Mozilla programmer?

[BigFire]

The quote being:

"I'm going to write me a minivan".

Re:Anyone know a Mozilla programmer?

"Anonymous Coward", why don't you just say it to my face?

Because you failed to post your name and address. Obvious, I would have thought.

Re:Anyone know a Mozilla programmer?

"Anonymous Coward", why don't you just say it to my face?

I'm too lazy go go looking through your site and do WHOIS. Just post your address and phone number right here for everyone to see, and credit card info to pay for my travel expenses in advance, and then I'll come track you down.

Re:Anyone know a Mozilla programmer?

[joeytsai]

There was related strip where Dilbert and Ratbert were talking in front at Dilbert's desk.

(From memory):

Dilbert: Ratbert, for every bug I fix I get a bonus. Dance on the keyboard for me so I can fix your bugs.

(Ratbert dances on Dilbert's keyboard).

Ratbert: How am I doing?

Diblert: Not good. You've just created a web browser.

Fantastic Idea

[LanMan04]

This will give all budding CS majors (and lazy security geeks) a reason to hunt for bugs, other than being inquisitive.

/. Millionaire

[baby_head_rush]

Imagine if /. paid a nickle for every 503 error.

Re:/. Millionaire

[NeoThermic]

>> Imagine if /. paid a nickle for every 503 error.

I'd beat you to death with a sack of them...

NeoThermic

Re:/. Millionaire

If I had a hickey everytime someone said that I'd be a redneck!

Re:/. Millionaire

[Short+Circuit]

I wonder if Slashcode is beginning to crack under the weight of Slashdot. I'd like to see a hit counter for Slashdot that shows the rate of hits instead of the total count.

Re:/. Millionaire

[WoodenRobot]

Slashdot's begun to Slashdot itself.

Must be the end times!

Re:/. Millionaire

[ClippyHater]

I was getting a ton of them today--I cleared my cache and emptied my cookies. All now seems to be well.

Re:/. Millionaire

Well, we have already seen the horror of the RADIOACTIVE BEIGE OF THE END TIMES.

Re:/. Millionaire

[sharkey]

Or a nickel for every regurgitation induced.

I'll stick my neck out

[NeoThermic]

...but doesn't this sound a bit desperate? IF Microsoft did this, people would be singing from the halls that Microsoft has given in, or getting desperate. (And alot of people would be rich).

All credit to the Mozilla Foundation if they can keep their image with this kind of approch to secuirty.

Now, who's going to be the first to earn their $500?

NeoThermic

Re:I'll stick my neck out

A lot is two words.

Re:I'll stick my neck out

[ajrs]

I'll chop it off for you. You might want to check out this link about TeX, which has had a bounty for decades.

I think you might have confued bragging with desperation.

Re:I'll stick my neck out

[mytec]

My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?

Re:I'll stick my neck out

[alefbet]

If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?

I switched for the features. I stayed for the security.

(Oh, and switching to Linux had something to do with it, too, in my case.)

Re:I'll stick my neck out

[jesser]

TeX has a lot of "interesting" features that I would consider bugs if the program wasn't as old as TeX is. For example, you have to run TeX twice to get it to update both the body of a document and its table of contents. And its error messages aren't always informative.

Re:I'll stick my neck out

[jesser]

TeX's bounty is for all bugs, not just security holes.

mozilla.org's bounty is more similar to djb's bounties for security holes in his server software, djbdns and qmail. The major differences between mozilla.org's bounty and djb's are that mozilla.org produces client software rather than server software, and we expect our bounty to be won (multiple times).

Re:I'll stick my neck out

[Lanzaa]

People that work for Microsoft might already have this (I doubt it). The employees are supposed to find bugs and security issues not people from the community.
It easy for an open source project that expect community input to say, 'We will pay our community that works' then a closed source proprietary software company to say 'We will pay the community.'

Re:I'll stick my neck out

[FooBarWidget]

"IF Microsoft did this, people would be singing from the halls that Microsoft has given in, or getting desperate."

So? It's their own fault that they've gotten a reputation that's so bad that people treat them differently.

Re:I'll stick my neck out

[ajrs]

there is an interesting notion. When does an bug get grandfathered?

Re:I'll stick my neck out

[Mr_Silver]

My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

Alternativily could it be a bit of PR to deflect from the controvesy surrounding the two recently publicised bugs which had been sat on by the Mozilla team for several years before they got around to being fixed?

Re:I'll stick my neck out

[jandrese]

IMHO, the interface on the TeX parser (or whatever it is called) is a bug. The learning curve on the command line parser is astounding, and that's before you even consider setting up the Metafont stuff. TeX has a lot of nice features, but it is a nightmare for the casual user. Fortunatly these days casual users have OpenOffice and the like, but I still have chills from back in College where we had to mark up our papers in TeX (or pay for a copy of Word and Windows 3.0 down at the Campus Bookstore).

Re:I'll stick my neck out

[Zaiff+Urgulbunger]

Alternativily could it be a bit of PR to deflect from the controvesy surrounding the two recently publicised bugs which had been sat on by the Mozilla team for several years before they got around to being fixed?

Naa, its purely a small amount of money to focus a lot of eyes on the problem. If it was pure PR they'd probably offer a much large some of money for catching virus writters or something?!

Re:I'll stick my neck out

[juhaz]

Microsoft already does it. Only, being Microsoft, they do it backwards and pay for catching bad guys who exploit the bugs in their software, instead of paying for fixing them damn bugs.

Similar idea at Microsoft

[Locky]

Instead they have a $10 million dollar pool of rewards for the capture of people who exploit the bugs for malicious purposes.

I think the saying 'an ounce of prevention is worth a pound of cure' is applicable here.

Re:Similar idea at Microsoft

Microsoft's problem is that "an ounce of prevention" wouldn't make any dents at all. In order make any noticeable difference, Microsoft needs so much prevention they'll need a bulldozer the size of a small country in order to move it.

Re:Similar idea at Microsoft

[hkmwbz]

The security hole is already there. How do you prevent it by paying people for finding it? Microsoft paid money to catch the virus author because he was doing massive damage. Why? Not because the security hole wasn't found (it was), but because people don't patch their systems.

I'm not usually one to stand up for Microsoft, but come on! What is it with you people who compare Microsoft's reward for catching virus authors and Mozilla's security bounty?

Security holes are found in IE all the time. So what's the point in Microsoft wasting money by paying people to find what they'll be finding anyway?

Way to turn the tables on M$!

[Exmet+Paff+Daxx]

Micro$oft gives out millions of dollars to catch people who exploit bugs in their browser! Now Linux gives out cash directly to people who find the bugs, rewarding engineers instead of snitches. I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

Everyone failed my last Gmail invite challenge, and I'm up to three invites, so here's a new one: there are sixteen factual errors in this article. I'll give you one for free: Bush is not a downhiller! Spot them all for a Gmail invite.

-Exmet

Re:Way to turn the tables on M$!

Huh, you think people are still willing to work for a gmail account?

www.gmailswap.com if you don't have one. I got one for writing a 3 line poem.

Re:Way to turn the tables on M$!

[Short+Circuit]

Now Linux gives out cash...

Be a little careful how you word things. This is specific to the Mozilla Foundation. It doesn't have anything to do with Linux. But it does look great from a leadership role.

Re:Way to turn the tables on M$!

Mozilla != Linux

Re:Way to turn the tables on M$!

[Quash]

NY Times wrote: "Mr. Bush landed with the bike on top of him but was unhurt except for a cut on his knee. The last time, in May, he scraped his face, hand and both knees." In actual fact: George Bush fell off his mountain bike on Saturday, grazing his chin, upper lip, nose, both knees, and his right hand, a White House spokesman said. The president was 16 miles (26km) into a 17-mile ride on his ranch when he hit some loose soil while riding downhill. Spokesman Trent Duffy Mr Bush suffered "minor abrasions and scratches" during the fall, Trent Duffy told reporters.

Re:Way to turn the tables on M$!

[rd_syringe]

1.) Using a dollar sign in the word Microsoft doesn't make you clever.
2.) Your sig has been proven false. Already, we've seen two critical security holes in the past month, one of which was known for five years but covered up and marked as "confidential."

Re:Way to turn the tables on M$!

Fuck you and fuck your stupid GMail invites. No one gives a shit.

Re:Way to turn the tables on M$!

[Tony-A]

I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

There's a huge difference in paradigm, but if the media does anything about it, it will be to bury it.

With the possible exception of some stuff by Knuth, everything has bugs, where possible inputs produce undesirable outputs.

Given that there are bugs, what's the better way to stumble into them?
Something nasty and hidden?
Something spectacular and harmless?

No, the media will be worse than useless. Since their livelihood depends on advertising, they are incapable of comprehending the mind of someone who keeps looking for hidden flaws.

A gentleman's agreement

If you've ever won any money at a charity fund-raiser, you know the deal:

1) go up and accept your check
2) nod and smile alot
3) donate your check back to the charity

Is there a prayer people motivated by this bounty have the same modicum of class?

Re:A gentleman's agreement

My name is Boba Fett. Accept my assurances that the fee from this job will not find it's way back to Mozilla.

Disintegration beams work very well on bugs too, you know.

/evil smirk.

Re:A gentleman's agreement

[LanMan04]

1) go up and accept your check
2) nod and smile alot
3) donate your check back to the charity
4) ???
5) Profit!!
Sorry, it's not even funny, but I had to.....bahaha!

Re:A gentleman's agreement

That's very nice, but I don't think that it's very gentlemanly to expect it of people. There are a lot of out-of-work programmers and student about that would appreciate $500 way more than the charity set up with the intention to give away money in this fashion.

Re:A gentleman's agreement

Mozilla may be a charity, but they're not on a mission to save the world. They're just writing a silly little piece of software. I wouldn't feel any guilt at taking the money.

Re:A gentleman's agreement

Just because others do the wrong thing, it doesn't mean I should too. I'll take the cheque and spend it on myself in any way I want. :-P~~~

Re:A gentleman's agreement

3) donate your check back to the charity

It depends on the charity. Some of them are slimier than slime itself, especially the ones that resort to unsolicited mail and telephone calls. Even worse are the ones that mail out expensive-looking certificates showing how happy that $10 made that starving, yet bright-eyed with perfect teeth and a good complexion, kid.

Skills

[www.sorehands.com]

It may help the "budding CS majors" to build code analysis and debugging skills. Debugging skills are not taught in school.

Re:Skills

[jeff67]

True, debugging is not on curricula. But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).

Re:Skills

[kryptkpr]

Not all debugging methods are created equal.. lots of extra printf calls will only get you so far. I can't count the number of fellow students whom I had to teach to use a debugger in my algorithms class.

Debugging should definitely be taught in classes.. at least the basics of what a debugger is, how it can help you, and how to compile your program so a debugger can read it and give you source-level breakpoints.

Re:Skills

[jesser]

One of Mudd's required classes has "Exploit a buffer overflow" as an assignment. Unfortunately, I took the class before that assignment was added.

Fwiw, I find it more fun to look for security holes in high level logic and GUIs than security holes related to memory management.

Re:Skills

[upsidedown_duck]

But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).

Right. Just like those full-blown graduates I used to work with would take a week to write a Java text-processing program that could have been written in five minutes with Perl or sed. How about those database tables with things like "Email1" and "Email2"? What about choosing Oracle and Web Logic with full J2EE dressing for a site that has only a few dozen database tables and even fewer web pages?

Computer Science is fun and all, but a degree shows little more than an ability to pass the final exams (I should know, I have one and work with people claiming to have one, too). Worst of all are graduates from Microsoft-bought-and-certified schools or even people who so hooked by FOSS that everything, absolutely everything, has to be open source, even the tools that are a royal pain in the ass to configure and use but a well-chosen commercial package would pay for itself in just working.

Re:Skills

[Anonymous+Brave+Guy]

Not all debugging methods are created equal.. lots of extra printf calls will only get you so far.

That's certainly true, although IME a little work to instrument code properly (via printf or something similar but more powerful/flexible) can go a very long way. We have quite a neat system on the project I currently work on, which basically keeps a stack trace and lets you record diagnostic messages at several levels of priority, and then lets you customise the diagnostic file that's generated based on which functions you want diagnostics for and at which priorities. We routinely code in such diagnostic messages -- often they just go where you might put a comment otherwise -- and it's often far faster to debug by looking at the output produced from this system than it is to step through code in a debugger.

None of that makes debuggers any less valuable when you need that bit extra, of course. I'm not sure whether I agree with your comment about teaching debugging "in classes" or not. I guess it depends on the kind of class. If you're teaching pure CS, I tend to think that any specific tools -- be it a particular language or compiler, or something like a profiler or debugger -- should be used only for example purposes. OTOH, if you're claiming to teach software development (by whatever name -- I guess "software engineering" is most common) then I certainly think a course introducing the kinds of supporting tool you can get should be included. I'd have it start by describing briefly what a debugger, profiler, static code analyser, etc. do and why they are useful, and then looking at common features of debuggers/profilers, and when and how to use them.

The question is..

[xerox_rat]

This seems like it could become rather popular, after all people like money. Will the developers at mozilla all of a sudden find themselves with bugs that aren't?

Don't get me wrong I think this is a great idea, and as others have said it should really spur on the tightening of security for the browser.

Continuing the Netscape Legacy

Until fairly recently, Netscape used to have a similar bug bounty program but they offered $1000. So it's really just a continuation of the legacy.

Get rich quick

1. Submit buggy software to Mozilla project.

2. "Find" said bug.

3. Profit!

Re:Get rich quick

[dveditz]

Ha ha -- good one! Too bad we thought of that already: no bounties on code you wrote or reviewed.

Re:Get rich quick

[d3ad1ysp0rk]

But your friend can, who can then keep $100 of the $500 for helping you out.

Why?

[slavemowgli]

Maybe it's just me, but I really am wondering why they're doing this. Mozilla is *full* of bugs already, many of them significant (albeit not security-related), that aren't fixed; and users that encounter security issues are likely to report them anyway, I think, no matter whether they get paid for it or not.

Re:Why?

[interJ]

1. Users don't accidentally run into buffer overflows (or many other security bug types). It's something you have to actively search for. The money is supposed to motivate more people to do this.

2. You may think that MNG support is more important than sites that can take over your computer or steal your credit card number. However, most people (including Mozilla developers) would disagree.

Re:Why?

[nz_mincemeat]

I'm using Mozilla 1.7, and the link in the parent doesn't work ;)

"Sorry, links to Bugzilla from Slashdot are disabled."

Re:Why?

[slavemowgli]

You may have to copy and paste it in that case - or manually search for bug #18574.

Re:Why?

that's not even a bug, it's a request for a feature.

Re:Why?

[slavemowgli]

Think again (and read it all). It is a bug.

Mr. Linspire will not pay anyway...

It is no secret that Mr. Linspire still has not paid for the Project B of his XBOX bounty.

8 month after the deadline...

So do you really expect that he will pay the Mozilla money?

mod parent up

the irony is sickening (to the tune of $70bn vs a "non-profit org")

Not just MS

[krog]

What if Slashdot gave $503 for every 503 Service Unavailable?

Malda and company would be living off ramen and store-brand Mountain Dew in less than a week.

Re:Not just MS

[GersonK]

Malda and company would be living off ramen and store-brand Mountain Dew in less than a week. Would this be any different from their current state of affair?

Re:Not just MS

[krog]

yeah, right now they spring for name-brand Dew. even pizza sometimes, too.

Re:Not just MS

[ackthpt]

What if Slashdot gave $503 for every 503 Service Unavailable?

Hm. What's causing this?

I noticed over the last couple days that within 10 minutes of connecting to the internet my throughput was degrading to a crawl. My firewall logs indicate I'm under attack more than back in November, but is it possible that there's a worm out there that's just firing DoS attacks across ip address ranges?

Re:Not just MS

[coolfrood]

I've noticed that this is more likely to occur around 9 AM and at noon EST. Maybe this has something to do with people coming in their offices on the east coast and the west coast.

Re:Not just MS

Seems like it has something to do with being logged in with a cookie. If I access the site anonymously it seems to work fine.

Re:Not just MS

[xmas2003]

I wonder if the 503 errors are perhaps related to more folks pulling RSS feeds from /. - even though they limit it, if enough folks have this on full-auto, it adds up.

Re:Not just MS

a 3 liter of store brand mountain dew: $1.19
4 packages of ramen: $0.50
that malnourished methamphetamine addict look: Priceless.

Re:Not just MS

[spektr]

Hm. What's causing this?

Maybe this?

Re:Not just MS

I got this too, (503 Service Unavailable). Yet on the same ADSL line a colleague running Firefox on an XP box had no problem at all. Never had a problem before.

Crazy thing is that I can resolve ./ with the following browsers:
Konqueror
Galleon
Opera
Mozilla 1.2.1 (old copy which I never normally use)

I'm running SuSe 8.2 Pro and Firefox 0.9.1 (for Linux). 0.8 was fine. 0.9.1 opens other sites but not /. today.

0.9.1 sometimes locks up but this could be due to plugins on my PC.

Is it my installation of 0.9.1 or is there something in the ./ webstite that detects 0.9.1 and says 503 Service Unavailable???

Re:Not just MS

[StalinsNotDead]

but is it possible that there's a worm out there that's just firing DoS attacks across ip address ranges

It's probably the spirits of slashdotted site getting their revenge from beyond the grave.

Re:Not just MS

[Spellbinder]

the strange thing is that slashdot gives me 503 errors in mozilla but works well in IE at the same time
that really drives me crazy
that and playing doom 3 all night long

Re:Not just MS

[cdemon6]

Yes, and:

- $200 for every served request
- $301 for every redirect
- ...

Re:Not just MS

[Aero+Leviathan]

Spooky... that page has been removed. What did it say?

Re:Not just MS

[spektr]

It said that OSDN (and thereby slashdot) has been bought by Microsoft. But now they deny it.

In other words, the end of the world was canceled. :-D

ARGHHHHHHHHHH~!!!!

[Ex+Machina]

why did I submit those bugs in the past :(((

Re:ARGHHHHHHHHHH~!!!!

[Crzysdrs]

I have plenty of friends supremely peeved at having submitted some bugs recently, they want their just reward!

Quick $500

[Bill,+Shooter+of+Bul]

I've found a serious flaw in Mozilla. It allows itself to run on Windows, an inherintly insecure platform.

Re:Quick $500

Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha.
I never would have thought of such a clever joke. I hope this gets modded "Insightful"!!!

ROFL
LMAO
LOL
A/S/L?

Ha ha ha ha ha

Hopefully better than the old Netscape version

[Maestro4k]

IIRC, Netscape had a bug bounty of sorts and it was pretty much ignored. There was a lot of annoyance from people reporting bugs to see them either never fixed or fixed and no one given credit for the bounty. (This was all pre-AOL buying Netscape.) I know the Mozilla foundation's different, but there's a lot of people with long memories and they'll need to be prepared to show they're different in this aspect too.

Now I'm kicking myself...

[FusionDragon2099]

I remember saying to myself "If I had a nickel for every bug in (insert program name) I'd be rich". Remember, when you don't act on your ideas and file a patent, THIS happens. But I should tell MS to implement this idea. Note going broke should be a good motivation to fix their own security flaws.

Obligatory Dilbert

[AbbyNormal]

quote: "Alright! I'm coding me a mini-van!"

We will probably never get to see them

[bdigit]

Mozilla likes to do security through obsecurity. Dont believe me. Look through the bug reports, any of them that contain any type of security vulnerability and locked down and you are unable to view them. Whats up with that mozilla?

Re:We will probably never get to see them

[RadioheadKid]

It prevents bugzilla from becoming a handbook for script kiddies.

Re:We will probably never get to see them

[crafteh]

If the public doesn't know about them, they won't be able to take advantage of them. If it is a tough problem to solve, like the browser spoofing with xul, they can make the bug confidential until the public finds out about it or they solve it.

Re:We will probably never get to see them

[Plutor]

Ditto what the other respondants said. Security through obscurity is better than no security. It gives the coders a chance to fix the problem _right_, not just plug it with a blacklist or something. Once the problem is fixed (or after the next release after the fix), security bugs are opened up.

Re:We will probably never get to see them

[pavon]

You are correct.

Whats up with that mozilla?

It is a good idea. Mozilla is a very large codebase with a reletively small number of developers. Therefore they don't have the fast turn around time for fixing critcal bugs that other projects do. They are already fixing bugs as fast as they can get around to it. If you wan't this process to go faster join the development team.

Security through obscurity is not completely worthless - it does one thing and that is to buy you more time, and that is all this is being used for. If you have not been part of the mozilla development team, then you do not know the codebase well enough to fix critcal bugs in a manner that doesn't potentially introduce more problems. And if you have been a part of the development team then you have access to the critical bug reports, so you can fix them.

It is always better to fix bugs rather than conceal them, but publishing the details of bugs that you haven't fixed is foolish. (This is opposed to just publishing the existence of vulnerabilities so your users are aware of potential problems).

Security is a matter of tradeoffs and to make good decisions, it is not enough to say "this is good", "this is bad" - You have to understand why practices are good or bad so you can understand when they should be used and to what extent they can be trusted, and do the best with the resources you have.

Side note / Prerefutation of slashbots:

No I am not defending mozilla because it is OSS, nor would I condem a comercial company for doing the same. I would condem them for claiming that their product is secure while hiding the existence of critcal bugs. Some OSS projects are good about bugs others are not. For example I am absolutely convinced that Apache is inherently more secure than MS IIS. I cannot say the same about Sendmail vs MS Exchange. Mozilla I am not sure about. They do some things better, like safer default settings. But like IE they also allow just about everything in the browser to be scripted, and I have little confidence that there aren't many critcal security bugs in all that code.

Re:We will probably never get to see them

[wfberg]

Ditto what the other respondants said. Security through obscurity is better than no security. It gives the coders a chance to fix the problem _right_, not just plug it with a blacklist or something. Once the problem is fixed (or after the next release after the fix), security bugs are opened up.

On the one hand, it prevents some blackhats from thinking "OMG! That's a pretty serious bug right there! I'm gonna write an exploit for it!".

On the other hand, no non-mozilla developer who happens to be looking in bugzilla can say "OMG! That's a pretty serious bug right there! I'm gonna write a patch for it, and submit it right NOW".

Given the fact that that XUL bug was know for, what, a year, they might have considered letting some one else take a stab at solving it... You know, what with the whole open source idea being that many eyes fix bugs..

Re:We will probably never get to see them

[ChrsJxn]

Security through obscurity is a term used to apply to crypto which relies on keeping it's algorithm unknown as it's method of preventing someone from decrypting the message.

What Mozilla is doing is not that. It is a viable strategy given the low number of people outside the organization who actually code for the browser. The people who are doing the programming are surely aware of the security issues, and keeping it quiet means that only the people who actually find the errors are able to exploit them (at least, until they get posted to some newsgroup or in some forum). It just gives the Mozilla people some time to fix them.

Re:We will probably never get to see them

[Saeed+al-Sahaf]

It's just so funny to read people's comments here that as for Mozilla, "Security through obscurity" is better than nothing, yet down the line, hear them rake MS over the coals for the same thing.

Re:We will probably never get to see them

[hiroko]

Some security through obscurity is a reasonable precaution here IMHO, as part of a wider security policy. Principally, it may protect people using the browser from the scriptkiddies which full disclosure might bring (as others have noted).

One of the main arguments for full disclosure is that, if a vendor isn't fixing a bug (in a reasonable period after you have notified them of it), you can force the issue by making it public.

If security by obscurity was the core of the security policy then I wouldn't be happy about it. However, if you have a look at Mozilla's security bug policy, you will see that the bug reporter can open up their bug if they are not happy with how things are progressing.

Seems like a good comprimise to me...

Dave.

Re:We will probably never get to see them

[HadMatter]

So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?

Quoting from the Mozilla Security Bug Bounty FAQ,

If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).

So, yes, the Mozilla Organization would prefer that the developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time. If you read handling Mozilla security bugs it is clear that they grok.

Re:We will probably never get to see them

[zsau]

Mozilla lives and breathes because Microsoft does exactly the same. People don't feel safe running Microsoft software, because they aren't told of security vulnerabilities. So why should we be using Mozilla software?

Recently, I have decided to boycott all Mozilla software. Instead of using Galeon, I'm now using Konqueror (but it doesn't seem to have nearly as good a UI). I'm currently using Evolution, but the distance between Moz Mail/Thunderbird and the UI of it's nearest competitor is a lot bigger than the difference between Galeon and Konq...

I won't be using any Mozilla software will they decide to end their 'security' through obscurity campaign and give us a formal apology/promise never to do it again. (I'm not going to be monitoring Mozilla's servers, so I'll be relying on word-of-mouth for this.)

Then clearly it hasn't happend to anyone else.

QED.

it's entrapment!

Dear pvt medic,

Thank-you for identifying this IE exploit! The FBI prize patrol should be by shortly with your reward!

Sincerely,
Bill Gates

0.9 is the problem in your case

Not trying to troll, but 0.9 is a shit release. 0.8 zipballs and installers can still be found with a little digging around the Firefox page.

If you *do* find a bug...

...and get $500 for your effort, you may want to keep it (as opposed to donating it to charity or giving it back to the foundation, as others have suggested here) because you're going to need it when you get sued for your service to the community.

Thank you, DMCA and anything that protects big businesses which had their servers infect their customers' computers, but nobody got to know which businesses because they might lose money if their IT carelessness was made public.

Re:If you *do* find a bug...

Yes, because the entire world falls under the DMCA

profit?

1-Name your GNU/Linux distribution to sound familiar with an insecure operative system that owns 90% of the desktop market.
2-Win a few million dollars to settle out of court giving up the stupid name (which made the product feel inferior even if familiar).
3-Use this money to fund the software on your OS, making it even better then the one you wanted to sound like.
4-Profit? Forget profit, PRICELESS!

Your sig

[jesser]

Is it a reference to Haibane?

Re:Your sig

[xerox_rat]

that it is. Good Anime.

Re:Your sig

[jesser]

I don't understand your sig, which is probably a sign that I need to watch Haibane again.

Send me the money!!!

I found a bug, my FrontPage 2003 web pages don't display correctly in Mozilla.

Re:The difference between mozilla.org and Microsof

Also, notice that one is based on prevention, the other is based on punishment.

Which one you think is more efficient?

This is just marketing spin...

[xxxJonBoyxxx]

The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.

Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.

On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.

Re:This is just marketing spin...

$500 is maybe a half-day of work.

Can I have your job?

Re:This is just marketing spin...

[oodl]

> On the other hand, for most of us in the security community, $500 is maybe a half-day of work.

That's a very U.S.-centric view. For some countries, $500 may be a month's work. Mozilla is not a U.S.-only project, and people from any country can make valuable contributions.

Re:This is just marketing spin...

[xxxJonBoyxxx]

Well...the $500 bounty is itself U.S.-centric. (Note that it's not expressed in Euros or Yen.)

I don't think Mozilla needs to sell itself to the rest of the world as hard as it has to sell itself to the U.S.; the rest of the world tends to already view Microsoft's browser with suspicion.

So...yeah. I'll refine my comments to say that the bounty is still marketing spin, although it is clearly directed at the U.S. browser markets.

Re:This is just marketing spin...

2*500*5*4=40*500=20000. That's a nice monthly salary, 20 thousand USD.

"Significant"

[Neutronix]

Perhaps I've been living too long on a cynic world...

But defining what is "Significant bug" will be extremely important, since this is not an unbiased concept, who will decide what is significant or not? Certainly it will not be who reports the bug, but it shouldn't be the one that pays the bill either.

Re:"Significant"

why cant there be a little bit of trust?

you trust your employer to say you did the work you said you did to the quality expected.

this isnt a huge big elaborate contest where judges are required.

have a little faith. they have something to lose, their credibility if they just claim everything is unimportant.

Re:"Significant"

[SimplexO]

From the faq:

What types of security bugs do you consider to be "critical"?

In general we consider critical security bugs to be those that allow execution of arbitrary code on users' systems or that otherwise allow access to users' confidential information. In the latter case we consider bugs to be critical only if they potentially expose high-value personal information (e.g., passwords, credit card numbers, and the like); in the context of the bug bounty program we do not consider bugs to be critical if they potentially expose only lower-value information (e.g., browsing history) or information that would be useful primarily for other exploits (e.g., the names of files or directories on the user's system).

Finally, in general we do not consider bugs that allow denial of service attacks to be critical in the sense described above.

good call

[Bill,+Shooter+of+Bul]

Lame joke, i'll admit. I happen to be a lover of lame jokes. The ppropriate response to such a joke is not laughter, but collective groan from the audince. I guess you post counts.

Not using a debugger

[www.sorehands.com]

Using a debugger without knowing what you are looking for is virtually useless. One needs to apply scientific methods and smart tool related methods.

Let Me Get This Straight...

[OmegaBlac]

So if I find a serious bug in Mozilla, they will pay me $500? So then that means all I need is $199 more to pay SCO to be able to use Linux with a more secure Firefox? YIPPIE!!

Re:Let Me Get This Straight...

[tiger99]

Find two bugs and you will have $401 to spend on whatever you want, even after the Darl Tax. But if you do decide to pay the SCOundrel anything, you are a bigger moron than Dubya.

Where does the money come from?

[CowsAnonymous]

Is it a Netscape-sponsered thing? Donations?

Re:Where does the money come from?

[atlantis191]

Is it a Netscape-sponsered thing? Donations?

I can understand not RTFA, but its in the header:

Sponsered by Linspire, Inc and Mark Shuttleworth

Many eyes?

[Yankovic]

What happened to the open source axiom "with many eyes, all bugs are shallow"? Shouldn't it render a program like this unnecessary?

Re:Many eyes?

[tiger99]

Yes and no, yes because with sufficient eyes, all bugs are indeed shallow, and no because probably not so many eyes bother to look at the Mozilla source, as the Linux kernel, for example. This encourages more eyes to look.

Re:Many eyes?

[DMUTPeregrine]

It also discourages exploiters. Find a bug, what do you do? Get enough cash for a new video card to play Doom 3, or write a virus. Not a very hard choice.

Re:Many eyes?

[/dev/trash]

No.

It just makes sure the eyes stay opened and focused longer.

Your sig

[KjetilK]

Hm, your sig indicates that you might be the first to collect the bounty, or does it mean something entirely different?

Desperate - NO WAY, cheaper than testers

It's a heck of a lot cheaper than hiring testers or paying programmers to find bugs.

Sod the security problems - what about...

[FyRE666]

...the rendering bug I've had with Firefox since... well... forever! Only on Slashdot - for the disbelievers I've slapped a couple of screenshots up here. These are with the latest STABLE release, not a nightly bugfest, BTW...

Re:Sod the security problems - what about...

[Zaiff+Urgulbunger]

I'm not that bothered about it myself, but I agree it does exist! I think some installs are affected more than other though - I'm sure my 0.8 install was okay, but I'm currently running 0.9.1 (patched) on Win2K and it is rendering /. strangely.

The work around is to increase and decrease the font size (ctrl + then ctrl -).

Re:Sod the security problems - what about...

[jesser]

The bug (217527) is not fixed in Firefox branch nightlies either, but it's "plussed" for Firefox 1.0 PR, so you can expect it to be fixed. See bug 217527 and bug 246382 (a regression caused by the fix for bug 217527) for details.

Re:Sod the security problems - what about...

[E-Tray]

Similar rendering bugs here too! (Firefox 0.92 Windows XP SP1)
http://www.computergripes.com/firefoxsites.html

Lousy deal

[Animats]

Under the new program, users reporting critical security bugs - as judged by the Mozilla Foundation staff - will collect a $500 cash prize.

Unless applications are evaluated by some pro-consumer third party (something like Consumer's Union), it's not much of an offer. The proposed "bounty" gives the staff too much wiggle room.

Re:Lousy deal

[jesser]

I don't like the wording in the press release either. The Bug Bounty FAQ makes it more clear, but still leaves a lot of information out.

Bugs that will get the bounty:

* Arbitrary code execution without user interaction.
* Reading files with known names from the user's hard drive without user interaction.
* Reading cookies or stored passwords for other sites without user interaction.

For bugs that require some user interaction to exploit, human judgement is required, hence contest judges.

Bugs that will not get the bounty:

* Temporary DoS, such as crashing or hanging the browser.
* Exposure of browsing history.
* Local file detection.

I don't know what would happen with a bug whose severity is between those listed as ineligible and those listed as eligible.

For what it's worth, about half of the security holes I've reported in Mozilla had the necessary severity (code execution, cookie read, file read). Many of those holes those required user interaction, though. It might be interesting to ask the judges which of my security holes would have been eligible had I reported them after 2004-08-02, to get a better idea of what they consider eligible.

Re:The difference between mozilla.org and Microsof

[Marc+Desrochers]

If MS did offer a bounty on bugs instead of a bounty on those exploiting them, the first few claims would probably be from the same people, the exploit writers. Much money might be saved in handing out a smaller amount, rather than a quarter mil that still leaves the problem in place.

<naiveté>Some might even conceivably make some sort of living at it, rather than writing exploits </naiveté>

Mark Shuttleworth

[FleaPlus]

As a reminder, Mark Shuttleworth is the Internet entrepreneur who was the second space tourist. It's really quite cool to see him taking an interest in helping Mozilla.

Re:Not just MS - cookie bug

Since today it has not been possible to access slashdot.org with Mozilla 0.9.1 and cookies enabled
With cookies off the only problem is that you cannot login, moderate or metamoderate. That should save some time then....

Mozilla Foundation not a charity

[0x0d0a]

The Mozilla Foundation isn't a charity -- they got a donation, and are going to use it. All the people that want to donate time and are already finding security bugs can already do so.

Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

Oh, and I'm hoping that the MF won't run into problems with people trying to scam the system by introducing security problems and then "discovering" them.

Re:Mozilla Foundation not a charity

[Saeed+al-Sahaf]

Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

Imagine the outsourcing possibilities...

I found a bug!

My favorite Spywares are not installing themself on my windows machine anymore, since all my password are stores in Gator, i posted as a Anonymous Coward...

Gimme my 500$!

Re:The difference between mozilla.org and Microsof

[jesser]

Many worms spread using holes that are already publicly known at the time the worm is written.

It's a bribe!!!

I guess Mozilla is afraid now that holes are starting to be found in their browser too, proving that just moving to a new browser isn't the answer that everyone has been preaching.

Rather than have people find the holes and exploit them they figure "Why not try to pay the people who find them so they won't exploit them?" That's pretty lame!

Why not give up your lunch money while you're at it!!!!

Re:The difference between mozilla.org and Microsof

[Kent+Recal]

+6 Insightful.

Re:The difference between mozilla.org and Microsof

[Frizzle+Fry]

People already do make a living finding flaws in microsoft products. They are software testers and microsoft employs plenty of them. I'm sure they are making more than the equivalent of $500/ per bug.

Profit!!!

[Jeremiah+Cornelius]

1) Submit buggy patch under alias 1

2) Report bug to bounty programme under alias 2

3) PR0FIT!!!

4) Repeat as necessary...

Re:Profit!!!

[Warlok]

Sounds like a Dilbery cartoon:

PHB: We're awarding $10 for every bug you find and fix.
Dilbert: Where you going Larry?
Larry: I'm going to code myself a new Porsche.

Woohoo!

[unsigned+integer]

I'm going to write me a new minivan this afternoon!

Mark Shuttleworth-Sheer support.

"It's really quite cool to see him taking an interest in helping Mozilla."

Getting SVG, SMIL, XForms, MathML, and complete CSS2 would be an asset.

Funny

[rd_syringe]

That's the argument used by Microsoft to avoid announcing critical flaws before they're patched.

Known for five years

[rd_syringe]

Given the fact that that XUL bug was know for, what, a year,

It was known since 1999 but was marked as "confidential." Very disappointing. I'm not sure why there's not more outcry over this.

Mozilla was the big-news, major OSS project. As it gets bigger, it's exhibiting the very signs that people profess to hate about Microsoft. It's interesting to see the tables turned.

Ideology versus reality

[rd_syringe]

The truth is that the "many eyes" idea doesn't actually work. It's not like coders sit there all night poring through the code line by line. People miss things in the code just like a company's developers miss things in their code. The Linux kernel has had plenty of system-killing bugs in its time, and Mozilla has already had several major critical flaws. What's particularly disturbing is that the XUL flaw was known since 1999 but marked "confidential."

What we're witnessing is an OSS project struggling to deal with catering to the ideologies that spawned it while coping with the actual realities of software development. As many of us have been saying all along, nothing is inherently more secure than anything else. It gets proven time and time again.

Alright!

[Noose+For+A+Neck]

It's only a matter of time before someone steals their confidential list of security bugs and cashes in big time.

I volunteer

To any Mozilla developers, I offer to share the bounty with you by "discovering" the bugs you may "accidently" create. Please contact. Thanks.

Re:Not really.

[tiger99]

Yes you are quite correct, and thanks for the clarification. My memory is clearly becoming a bit volatile these days, I did know once upon a time it was the shell: issue. Nevertheless the very small fix from Mozilla cured the problem. I think M$ ought to pay them!

But yes, some bugs hang around for a loooooooooong time, but AFAIK some bugs dating from Windoze 95, or before, and still present, possibly in a slightly different form, have not been fixed yet. I was reminded of one yesterday, when Xtra Pathetic locked up because I had taken the CD out of the drive, not realising that some obscure window was still wanting to access files. That sort of problem was fixed in Linux ages ago, drives are locked (where possible) to ensure you unmount properly. But even there, some things are not getting fixed.....

Two things the software "industry" (including extremes such as the Criminal Monopoly, FOSS etc) have never been particularly good at are good quality, accurate documentation, and also prompt fixing of bugs which are not actually annoying the developers. I don't see any sign that it will change any time soon, people prefer to work on the most interesting bits..... There is much less excuse for large companies of course, they can afford to pay staff, set up QA systems and so on, yet it still does not get done, except in a few places such as IBM, Sun, Oracle..... Having said that, a few bits of FOSS documentation are first class, and high priority things which interest top developers do get fixed promptly, especially where security is concerned. But the stuff in the middle, which is neither free nor horrendously expensive (but still over-priced for what it is) is the worst of the lot.

Strangely, in the UK we once had Acorn Computers, who with one of their earlier products, the BBC Micro, managed to produce very good (but not quite perfect) documentation, and very good software with the few remaining bugs fully documented, and fixed when the next ROM was issued. Way ahead of M$ Basic of that era, and ran fater on the 2MHz 6502 than Bill's bloat did on a 6MHz PC-AT with floating point coprocessor. They repeated that feat with the next series of RISC machines, with early ARM processors, and so did the third-party software suppliers. For a very much smaller market than M$, decent word processors, drawing packages (such as the forerunner of the super-fast Xara for the PC) etc were all less than a quarter of the price of similar but buggier packages for the PC from, you know who. I never did understand how minority market software could be cheaper, less buggy, and in some cases more user-friendly than mass-market software, except to observe that Bill was not involved. Enough said about his negative contributions to computing and the world economy, I think.

Re:Not really.

Windoze [...] Xtra Pathetic [...] Criminal Monopoly [...] M$ [...] Bill's bloat

Holy mary mother of god.

Nitpick: charity

[fm6]

The Mozilla Foundation isn't a charity -- they got a donation, and are going to use it.

That's what a charity does -- people give them money, and they spend it in ways that are consistent with their charter.

Let me guess -- you associate the word "charity" with well-meaning handouts that mainly benefit people who have lots of lame excuses for not working. There are charities like that, but that's not what the word means.