Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Starts Bug Bounty Program

Posted by CowboyNeal on from the problem-reports-that-pay dept.

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."

48 of 194 comments (clear)

  1. microsoft by pvt_medic · · Score: 5, Funny

    if microsoft did this they go bankrupt in a week


    obligatory jab at microsoft

    --
    30% Troll, 50% Underrated, 10% Interesting
    Score:5, Troll
    1. Re:microsoft by dsbaha · · Score: 2, Funny

      That is assuming that they'll even recongize the problem!

  2. The difference between mozilla.org and Microsoft by Anonymous Coward · · Score: 5, Insightful

    mozilla.org offers a $500 bounty for discovering "critical" security holes, while Mircosoft offers a $250,000 bounty for catching virus authors.

  3. I wonder if he's kicking himself... by NoMercy · · Score: 4, Interesting

    A few days ago you might remember someone who created an article on the vunribilities of a fake browser being made in a empty window using XUL...

    Guess he's 500 dolars down for blowing the whistle a week early :)

  4. In Other News... by Anonymous Coward · · Score: 5, Funny

    Microsoft puts bounty $5,000 on head of anyone uncovering IE security flaws.

  5. Anyone know a Mozilla programmer? by jsimon12 · · Score: 5, Funny

    Cause we could go ahead and program ourselves a couple new minivans this evening ;) (yes I know Wally from Dilbert said it before I did, but this just seemed like the perfect time to use it)

  6. /. Millionaire by baby_head_rush · · Score: 3, Funny

    Imagine if /. paid a nickle for every 503 error.

    --
    Oliver's army is here to stay Oliver's army are on their way And I would rather be anywhere else But here today
  7. I'll stick my neck out by NeoThermic · · Score: 2, Insightful

    ...but doesn't this sound a bit desperate? IF Microsoft did this, people would be singing from the halls that Microsoft has given in, or getting desperate. (And alot of people would be rich).

    All credit to the Mozilla Foundation if they can keep their image with this kind of approch to secuirty.

    Now, who's going to be the first to earn their $500?

    NeoThermic

    --
    Use my link above, or to view my server, NeoThermic.com
    1. Re:I'll stick my neck out by ajrs · · Score: 2, Informative
      I'll chop it off for you. You might want to check out this link about TeX, which has had a bounty for decades.


      I think you might have confued bragging with desperation.

    2. Re:I'll stick my neck out by mytec · · Score: 4, Interesting

      My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

      If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?

    3. Re:I'll stick my neck out by alefbet · · Score: 2, Interesting
      If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?
      I switched for the features. I stayed for the security.

      (Oh, and switching to Linux had something to do with it, too, in my case.)

      --

      A hack is just an idiom waiting for wider use.
    4. Re:I'll stick my neck out by jesser · · Score: 2, Interesting

      TeX's bounty is for all bugs, not just security holes.

      mozilla.org's bounty is more similar to djb's bounties for security holes in his server software, djbdns and qmail. The major differences between mozilla.org's bounty and djb's are that mozilla.org produces client software rather than server software, and we expect our bounty to be won (multiple times).

      --
      The shareholder is always right.
    5. Re:I'll stick my neck out by ajrs · · Score: 2, Interesting

      there is an interesting notion. When does an bug get grandfathered?

  8. Similar idea at Microsoft by Locky · · Score: 3, Insightful

    Instead they have a $10 million dollar pool of rewards for the capture of people who exploit the bugs for malicious purposes.

    I think the saying 'an ounce of prevention is worth a pound of cure' is applicable here.

  9. Way to turn the tables on M$! by Exmet+Paff+Daxx · · Score: 3, Insightful

    Micro$oft gives out millions of dollars to catch people who exploit bugs in their browser! Now Linux gives out cash directly to people who find the bugs, rewarding engineers instead of snitches. I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

    Everyone failed my last Gmail invite challenge, and I'm up to three invites, so here's a new one: there are sixteen factual errors in this article. I'll give you one for free: Bush is not a downhiller! Spot them all for a Gmail invite.

    -Exmet

    --
    If guns kill people, then CmdrTaco's keyboard misspells words.
  10. A gentleman's agreement by Anonymous Coward · · Score: 5, Insightful

    If you've ever won any money at a charity fund-raiser, you know the deal:

    1) go up and accept your check
    2) nod and smile alot
    3) donate your check back to the charity

    Is there a prayer people motivated by this bounty have the same modicum of class?

  11. Skills by www.sorehands.com · · Score: 3, Insightful

    It may help the "budding CS majors" to build code analysis and debugging skills. Debugging skills are not taught in school.

    --
    Fight Spammers!
    1. Re:Skills by jeff67 · · Score: 4, Interesting

      True, debugging is not on curricula. But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).

    2. Re:Skills by kryptkpr · · Score: 3, Insightful

      Not all debugging methods are created equal.. lots of extra printf calls will only get you so far. I can't count the number of fellow students whom I had to teach to use a debugger in my algorithms class.

      Debugging should definitely be taught in classes.. at least the basics of what a debugger is, how it can help you, and how to compile your program so a debugger can read it and give you source-level breakpoints.

      --
      DJ kRYPT's Free MP3s!
  12. Continuing the Netscape Legacy by Anonymous Coward · · Score: 4, Interesting

    Until fairly recently, Netscape used to have a similar bug bounty program but they offered $1000. So it's really just a continuation of the legacy.

  13. Get rich quick by Anonymous Coward · · Score: 5, Funny

    1. Submit buggy software to Mozilla project.

    2. "Find" said bug.

    3. Profit!

  14. Not just MS by krog · · Score: 5, Funny

    What if Slashdot gave $503 for every 503 Service Unavailable?

    Malda and company would be living off ramen and store-brand Mountain Dew in less than a week.

    --
    Cretin - a powerful and flexible CD reencoder
    1. Re:Not just MS by spektr · · Score: 2, Interesting

      Hm. What's causing this?

      Maybe this?

  15. ARGHHHHHHHHHH~!!!! by Ex+Machina · · Score: 2, Funny

    why did I submit those bugs in the past :(((

  16. Quick $500 by Bill,+Shooter+of+Bul · · Score: 4, Funny

    I've found a serious flaw in Mozilla. It allows itself to run on Windows, an inherintly insecure platform.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
  17. Hopefully better than the old Netscape version by Maestro4k · · Score: 2, Interesting

    IIRC, Netscape had a bug bounty of sorts and it was pretty much ignored. There was a lot of annoyance from people reporting bugs to see them either never fixed or fixed and no one given credit for the bounty. (This was all pre-AOL buying Netscape.) I know the Mozilla foundation's different, but there's a lot of people with long memories and they'll need to be prepared to show they're different in this aspect too.

  18. We will probably never get to see them by bdigit · · Score: 3, Interesting

    Mozilla likes to do security through obsecurity. Dont believe me. Look through the bug reports, any of them that contain any type of security vulnerability and locked down and you are unable to view them. Whats up with that mozilla?

    1. Re:We will probably never get to see them by RadioheadKid · · Score: 2, Interesting

      It prevents bugzilla from becoming a handbook for script kiddies.

      --
      "Karma can only be portioned out by the cosmos." -Homer Simpson
    2. Re:We will probably never get to see them by crafteh · · Score: 2, Interesting

      If the public doesn't know about them, they won't be able to take advantage of them. If it is a tough problem to solve, like the browser spoofing with xul, they can make the bug confidential until the public finds out about it or they solve it.

    3. Re:We will probably never get to see them by wfberg · · Score: 2, Interesting



      Ditto what the other respondants said. Security through obscurity is better than no security. It gives the coders a chance to fix the problem _right_, not just plug it with a blacklist or something. Once the problem is fixed (or after the next release after the fix), security bugs are opened up.

      On the one hand, it prevents some blackhats from thinking "OMG! That's a pretty serious bug right there! I'm gonna write an exploit for it!".

      On the other hand, no non-mozilla developer who happens to be looking in bugzilla can say "OMG! That's a pretty serious bug right there! I'm gonna write a patch for it, and submit it right NOW".

      Given the fact that that XUL bug was know for, what, a year, they might have considered letting some one else take a stab at solving it... You know, what with the whole open source idea being that many eyes fix bugs..

      --
      SCO employee? Check out the bounty
    4. Re:We will probably never get to see them by HadMatter · · Score: 2, Informative

      So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?

      Quoting from the Mozilla Security Bug Bounty FAQ,

      If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

      No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).

      So, yes, the Mozilla Organization would prefer that the developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time. If you read handling Mozilla security bugs it is clear that they grok.

  19. it's entrapment! by Anonymous Coward · · Score: 5, Funny

    Dear pvt medic,

    Thank-you for identifying this IE exploit! The FBI prize patrol should be by shortly with your reward!

    Sincerely,
    Bill Gates

  20. If you *do* find a bug... by Anonymous Coward · · Score: 2, Funny

    ...and get $500 for your effort, you may want to keep it (as opposed to donating it to charity or giving it back to the foundation, as others have suggested here) because you're going to need it when you get sued for your service to the community.

    Thank you, DMCA and anything that protects big businesses which had their servers infect their customers' computers, but nobody got to know which businesses because they might lose money if their IT carelessness was made public.

  21. Re:Why? by interJ · · Score: 2, Insightful

    1. Users don't accidentally run into buffer overflows (or many other security bug types). It's something you have to actively search for. The money is supposed to motivate more people to do this.

    2. You may think that MNG support is more important than sites that can take over your computer or steal your credit card number. However, most people (including Mozilla developers) would disagree.

  22. This is just marketing spin... by xxxJonBoyxxx · · Score: 3, Insightful

    The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.

    Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.

    On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.

  23. "Significant" by Neutronix · · Score: 2, Insightful

    Perhaps I've been living too long on a cynic world...

    But defining what is "Significant bug" will be extremely important, since this is not an unbiased concept, who will decide what is significant or not? Certainly it will not be who reports the bug, but it shouldn't be the one that pays the bill either.

    --
    Long live TUX!
  24. Not using a debugger by www.sorehands.com · · Score: 2, Insightful

    Using a debugger without knowing what you are looking for is virtually useless. One needs to apply scientific methods and smart tool related methods.

    --
    Fight Spammers!
  25. Many eyes? by Yankovic · · Score: 2, Interesting

    What happened to the open source axiom "with many eyes, all bugs are shallow"? Shouldn't it render a program like this unnecessary?

    1. Re:Many eyes? by tiger99 · · Score: 2, Insightful

      Yes and no, yes because with sufficient eyes, all bugs are indeed shallow, and no because probably not so many eyes bother to look at the Mozilla source, as the Linux kernel, for example. This encourages more eyes to look.

  26. Re:The difference between mozilla.org and Microsof by Marc+Desrochers · · Score: 2, Insightful
    If MS did offer a bounty on bugs instead of a bounty on those exploiting them, the first few claims would probably be from the same people, the exploit writers. Much money might be saved in handing out a smaller amount, rather than a quarter mil that still leaves the problem in place.

    <naiveté>Some might even conceivably make some sort of living at it, rather than writing exploits </naiveté>

  27. Mark Shuttleworth by FleaPlus · · Score: 2, Informative

    As a reminder, Mark Shuttleworth is the Internet entrepreneur who was the second space tourist. It's really quite cool to see him taking an interest in helping Mozilla.

  28. Re:Lousy deal by jesser · · Score: 2, Informative

    I don't like the wording in the press release either. The Bug Bounty FAQ makes it more clear, but still leaves a lot of information out.

    Bugs that will get the bounty:

    * Arbitrary code execution without user interaction.
    * Reading files with known names from the user's hard drive without user interaction.
    * Reading cookies or stored passwords for other sites without user interaction.

    For bugs that require some user interaction to exploit, human judgement is required, hence contest judges.

    Bugs that will not get the bounty:

    * Temporary DoS, such as crashing or hanging the browser.
    * Exposure of browsing history.
    * Local file detection.

    I don't know what would happen with a bug whose severity is between those listed as ineligible and those listed as eligible.

    For what it's worth, about half of the security holes I've reported in Mozilla had the necessary severity (code execution, cookie read, file read). Many of those holes those required user interaction, though. It might be interesting to ask the judges which of my security holes would have been eligible had I reported them after 2004-08-02, to get a better idea of what they consider eligible.

    --
    The shareholder is always right.
  29. Mozilla Foundation not a charity by 0x0d0a · · Score: 2, Insightful

    The Mozilla Foundation isn't a charity -- they got a donation, and are going to use it. All the people that want to donate time and are already finding security bugs can already do so.

    Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

    Oh, and I'm hoping that the MF won't run into problems with people trying to scam the system by introducing security problems and then "discovering" them.

    --
    May we never see th
    1. Re:Mozilla Foundation not a charity by Saeed+al-Sahaf · · Score: 2, Insightful
      Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

      Imagine the outsourcing possibilities...

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  30. Re:The difference between mozilla.org and Microsof by jesser · · Score: 2, Insightful

    Many worms spread using holes that are already publicly known at the time the worm is written.

    --
    The shareholder is always right.
  31. Woohoo! by unsigned+integer · · Score: 2, Funny

    I'm going to write me a new minivan this afternoon!

  32. Re:Profit!!! by Warlok · · Score: 2, Funny

    Sounds like a Dilbery cartoon:

    PHB: We're awarding $10 for every bug you find and fix.
    Dilbert: Where you going Larry?
    Larry: I'm going to code myself a new Porsche.

    --
    ...and you run and you run and you can't stop what's been done...
  33. Alright! by Noose+For+A+Neck · · Score: 2, Funny

    It's only a matter of time before someone steals their confidential list of security bugs and cashes in big time.

    --

    Software piracy is victimless theft.