Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Starts Bug Bounty Program

Posted by CowboyNeal on from the problem-reports-that-pay dept.

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."

16 of 194 comments (clear)

  1. I wonder if he's kicking himself... by NoMercy · · Score: 4, Interesting

    A few days ago you might remember someone who created an article on the vunribilities of a fake browser being made in a empty window using XUL...

    Guess he's 500 dolars down for blowing the whistle a week early :)

  2. Continuing the Netscape Legacy by Anonymous Coward · · Score: 4, Interesting

    Until fairly recently, Netscape used to have a similar bug bounty program but they offered $1000. So it's really just a continuation of the legacy.

  3. Re:I'll stick my neck out by mytec · · Score: 4, Interesting

    My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

    If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?

  4. Why? by slavemowgli · · Score: 1, Interesting

    Maybe it's just me, but I really am wondering why they're doing this. Mozilla is *full* of bugs already, many of them significant (albeit not security-related), that aren't fixed; and users that encounter security issues are likely to report them anyway, I think, no matter whether they get paid for it or not.

    --
    quidquid latine dictum sit altum videtur.
  5. Mr. Linspire will not pay anyway... by Anonymous Coward · · Score: 1, Interesting

    It is no secret that Mr. Linspire still has not paid for the Project B of his XBOX bounty.

    8 month after the deadline...

    So do you really expect that he will pay the Mozilla money?

  6. Re:Skills by jeff67 · · Score: 4, Interesting

    True, debugging is not on curricula. But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).

  7. Re:I'll stick my neck out by alefbet · · Score: 2, Interesting
    If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?
    I switched for the features. I stayed for the security.

    (Oh, and switching to Linux had something to do with it, too, in my case.)

    --

    A hack is just an idiom waiting for wider use.
  8. Hopefully better than the old Netscape version by Maestro4k · · Score: 2, Interesting

    IIRC, Netscape had a bug bounty of sorts and it was pretty much ignored. There was a lot of annoyance from people reporting bugs to see them either never fixed or fixed and no one given credit for the bounty. (This was all pre-AOL buying Netscape.) I know the Mozilla foundation's different, but there's a lot of people with long memories and they'll need to be prepared to show they're different in this aspect too.

  9. We will probably never get to see them by bdigit · · Score: 3, Interesting

    Mozilla likes to do security through obsecurity. Dont believe me. Look through the bug reports, any of them that contain any type of security vulnerability and locked down and you are unable to view them. Whats up with that mozilla?

    1. Re:We will probably never get to see them by RadioheadKid · · Score: 2, Interesting

      It prevents bugzilla from becoming a handbook for script kiddies.

      --
      "Karma can only be portioned out by the cosmos." -Homer Simpson
    2. Re:We will probably never get to see them by crafteh · · Score: 2, Interesting

      If the public doesn't know about them, they won't be able to take advantage of them. If it is a tough problem to solve, like the browser spoofing with xul, they can make the bug confidential until the public finds out about it or they solve it.

    3. Re:We will probably never get to see them by wfberg · · Score: 2, Interesting



      Ditto what the other respondants said. Security through obscurity is better than no security. It gives the coders a chance to fix the problem _right_, not just plug it with a blacklist or something. Once the problem is fixed (or after the next release after the fix), security bugs are opened up.

      On the one hand, it prevents some blackhats from thinking "OMG! That's a pretty serious bug right there! I'm gonna write an exploit for it!".

      On the other hand, no non-mozilla developer who happens to be looking in bugzilla can say "OMG! That's a pretty serious bug right there! I'm gonna write a patch for it, and submit it right NOW".

      Given the fact that that XUL bug was know for, what, a year, they might have considered letting some one else take a stab at solving it... You know, what with the whole open source idea being that many eyes fix bugs..

      --
      SCO employee? Check out the bounty
  10. Re:I'll stick my neck out by jesser · · Score: 2, Interesting

    TeX's bounty is for all bugs, not just security holes.

    mozilla.org's bounty is more similar to djb's bounties for security holes in his server software, djbdns and qmail. The major differences between mozilla.org's bounty and djb's are that mozilla.org produces client software rather than server software, and we expect our bounty to be won (multiple times).

    --
    The shareholder is always right.
  11. Re:I'll stick my neck out by ajrs · · Score: 2, Interesting

    there is an interesting notion. When does an bug get grandfathered?

  12. Many eyes? by Yankovic · · Score: 2, Interesting

    What happened to the open source axiom "with many eyes, all bugs are shallow"? Shouldn't it render a program like this unnecessary?

  13. Re:Not just MS by spektr · · Score: 2, Interesting

    Hm. What's causing this?

    Maybe this?