Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Starts Bug Bounty Program

Posted by CowboyNeal on from the problem-reports-that-pay dept.

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."

17 of 194 comments (clear)

  1. The difference between mozilla.org and Microsoft by Anonymous Coward · · Score: 5, Insightful

    mozilla.org offers a $500 bounty for discovering "critical" security holes, while Mircosoft offers a $250,000 bounty for catching virus authors.

  2. I'll stick my neck out by NeoThermic · · Score: 2, Insightful

    ...but doesn't this sound a bit desperate? IF Microsoft did this, people would be singing from the halls that Microsoft has given in, or getting desperate. (And alot of people would be rich).

    All credit to the Mozilla Foundation if they can keep their image with this kind of approch to secuirty.

    Now, who's going to be the first to earn their $500?

    NeoThermic

    --
    Use my link above, or to view my server, NeoThermic.com
  3. Similar idea at Microsoft by Locky · · Score: 3, Insightful

    Instead they have a $10 million dollar pool of rewards for the capture of people who exploit the bugs for malicious purposes.

    I think the saying 'an ounce of prevention is worth a pound of cure' is applicable here.

  4. Way to turn the tables on M$! by Exmet+Paff+Daxx · · Score: 3, Insightful

    Micro$oft gives out millions of dollars to catch people who exploit bugs in their browser! Now Linux gives out cash directly to people who find the bugs, rewarding engineers instead of snitches. I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

    Everyone failed my last Gmail invite challenge, and I'm up to three invites, so here's a new one: there are sixteen factual errors in this article. I'll give you one for free: Bush is not a downhiller! Spot them all for a Gmail invite.

    -Exmet

    --
    If guns kill people, then CmdrTaco's keyboard misspells words.
  5. A gentleman's agreement by Anonymous Coward · · Score: 5, Insightful

    If you've ever won any money at a charity fund-raiser, you know the deal:

    1) go up and accept your check
    2) nod and smile alot
    3) donate your check back to the charity

    Is there a prayer people motivated by this bounty have the same modicum of class?

  6. Skills by www.sorehands.com · · Score: 3, Insightful

    It may help the "budding CS majors" to build code analysis and debugging skills. Debugging skills are not taught in school.

    --
    Fight Spammers!
    1. Re:Skills by kryptkpr · · Score: 3, Insightful

      Not all debugging methods are created equal.. lots of extra printf calls will only get you so far. I can't count the number of fellow students whom I had to teach to use a debugger in my algorithms class.

      Debugging should definitely be taught in classes.. at least the basics of what a debugger is, how it can help you, and how to compile your program so a debugger can read it and give you source-level breakpoints.

      --
      DJ kRYPT's Free MP3s!
  7. Re:Why? by interJ · · Score: 2, Insightful

    1. Users don't accidentally run into buffer overflows (or many other security bug types). It's something you have to actively search for. The money is supposed to motivate more people to do this.

    2. You may think that MNG support is more important than sites that can take over your computer or steal your credit card number. However, most people (including Mozilla developers) would disagree.

  8. Re:The difference between mozilla.org and Microsof by Anonymous Coward · · Score: 1, Insightful

    Also, notice that one is based on prevention, the other is based on punishment.

    Which one you think is more efficient?

  9. This is just marketing spin... by xxxJonBoyxxx · · Score: 3, Insightful

    The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.

    Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.

    On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.

  10. "Significant" by Neutronix · · Score: 2, Insightful

    Perhaps I've been living too long on a cynic world...

    But defining what is "Significant bug" will be extremely important, since this is not an unbiased concept, who will decide what is significant or not? Certainly it will not be who reports the bug, but it shouldn't be the one that pays the bill either.

    --
    Long live TUX!
  11. Not using a debugger by www.sorehands.com · · Score: 2, Insightful

    Using a debugger without knowing what you are looking for is virtually useless. One needs to apply scientific methods and smart tool related methods.

    --
    Fight Spammers!
  12. Re:Many eyes? by tiger99 · · Score: 2, Insightful

    Yes and no, yes because with sufficient eyes, all bugs are indeed shallow, and no because probably not so many eyes bother to look at the Mozilla source, as the Linux kernel, for example. This encourages more eyes to look.

  13. Re:The difference between mozilla.org and Microsof by Marc+Desrochers · · Score: 2, Insightful
    If MS did offer a bounty on bugs instead of a bounty on those exploiting them, the first few claims would probably be from the same people, the exploit writers. Much money might be saved in handing out a smaller amount, rather than a quarter mil that still leaves the problem in place.

    <naiveté>Some might even conceivably make some sort of living at it, rather than writing exploits </naiveté>

  14. Mozilla Foundation not a charity by 0x0d0a · · Score: 2, Insightful

    The Mozilla Foundation isn't a charity -- they got a donation, and are going to use it. All the people that want to donate time and are already finding security bugs can already do so.

    Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

    Oh, and I'm hoping that the MF won't run into problems with people trying to scam the system by introducing security problems and then "discovering" them.

    --
    May we never see th
    1. Re:Mozilla Foundation not a charity by Saeed+al-Sahaf · · Score: 2, Insightful
      Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

      Imagine the outsourcing possibilities...

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  15. Re:The difference between mozilla.org and Microsof by jesser · · Score: 2, Insightful

    Many worms spread using holes that are already publicly known at the time the worm is written.

    --
    The shareholder is always right.