Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Starts Bug Bounty Program

Posted by CowboyNeal on from the problem-reports-that-pay dept.

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."

7 of 194 comments (clear)

  1. The difference between mozilla.org and Microsoft by Anonymous Coward · · Score: 5, Insightful

    mozilla.org offers a $500 bounty for discovering "critical" security holes, while Mircosoft offers a $250,000 bounty for catching virus authors.

  2. Similar idea at Microsoft by Locky · · Score: 3, Insightful

    Instead they have a $10 million dollar pool of rewards for the capture of people who exploit the bugs for malicious purposes.

    I think the saying 'an ounce of prevention is worth a pound of cure' is applicable here.

  3. Way to turn the tables on M$! by Exmet+Paff+Daxx · · Score: 3, Insightful

    Micro$oft gives out millions of dollars to catch people who exploit bugs in their browser! Now Linux gives out cash directly to people who find the bugs, rewarding engineers instead of snitches. I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

    Everyone failed my last Gmail invite challenge, and I'm up to three invites, so here's a new one: there are sixteen factual errors in this article. I'll give you one for free: Bush is not a downhiller! Spot them all for a Gmail invite.

    -Exmet

    --
    If guns kill people, then CmdrTaco's keyboard misspells words.
  4. A gentleman's agreement by Anonymous Coward · · Score: 5, Insightful

    If you've ever won any money at a charity fund-raiser, you know the deal:

    1) go up and accept your check
    2) nod and smile alot
    3) donate your check back to the charity

    Is there a prayer people motivated by this bounty have the same modicum of class?

  5. Skills by www.sorehands.com · · Score: 3, Insightful

    It may help the "budding CS majors" to build code analysis and debugging skills. Debugging skills are not taught in school.

    --
    Fight Spammers!
    1. Re:Skills by kryptkpr · · Score: 3, Insightful

      Not all debugging methods are created equal.. lots of extra printf calls will only get you so far. I can't count the number of fellow students whom I had to teach to use a debugger in my algorithms class.

      Debugging should definitely be taught in classes.. at least the basics of what a debugger is, how it can help you, and how to compile your program so a debugger can read it and give you source-level breakpoints.

      --
      DJ kRYPT's Free MP3s!
  6. This is just marketing spin... by xxxJonBoyxxx · · Score: 3, Insightful

    The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.

    Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.

    On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.