Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Starts Bug Bounty Program

Posted by CowboyNeal on from the problem-reports-that-pay dept.

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."

20 of 194 comments (clear)

  1. microsoft by pvt_medic · · Score: 5, Funny

    if microsoft did this they go bankrupt in a week


    obligatory jab at microsoft

    --
    30% Troll, 50% Underrated, 10% Interesting
    Score:5, Troll
  2. The difference between mozilla.org and Microsoft by Anonymous Coward · · Score: 5, Insightful

    mozilla.org offers a $500 bounty for discovering "critical" security holes, while Mircosoft offers a $250,000 bounty for catching virus authors.

  3. I wonder if he's kicking himself... by NoMercy · · Score: 4, Interesting

    A few days ago you might remember someone who created an article on the vunribilities of a fake browser being made in a empty window using XUL...

    Guess he's 500 dolars down for blowing the whistle a week early :)

  4. In Other News... by Anonymous Coward · · Score: 5, Funny

    Microsoft puts bounty $5,000 on head of anyone uncovering IE security flaws.

  5. Anyone know a Mozilla programmer? by jsimon12 · · Score: 5, Funny

    Cause we could go ahead and program ourselves a couple new minivans this evening ;) (yes I know Wally from Dilbert said it before I did, but this just seemed like the perfect time to use it)

  6. /. Millionaire by baby_head_rush · · Score: 3, Funny

    Imagine if /. paid a nickle for every 503 error.

    --
    Oliver's army is here to stay Oliver's army are on their way And I would rather be anywhere else But here today
  7. Similar idea at Microsoft by Locky · · Score: 3, Insightful

    Instead they have a $10 million dollar pool of rewards for the capture of people who exploit the bugs for malicious purposes.

    I think the saying 'an ounce of prevention is worth a pound of cure' is applicable here.

  8. Way to turn the tables on M$! by Exmet+Paff+Daxx · · Score: 3, Insightful

    Micro$oft gives out millions of dollars to catch people who exploit bugs in their browser! Now Linux gives out cash directly to people who find the bugs, rewarding engineers instead of snitches. I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

    Everyone failed my last Gmail invite challenge, and I'm up to three invites, so here's a new one: there are sixteen factual errors in this article. I'll give you one for free: Bush is not a downhiller! Spot them all for a Gmail invite.

    -Exmet

    --
    If guns kill people, then CmdrTaco's keyboard misspells words.
  9. A gentleman's agreement by Anonymous Coward · · Score: 5, Insightful

    If you've ever won any money at a charity fund-raiser, you know the deal:

    1) go up and accept your check
    2) nod and smile alot
    3) donate your check back to the charity

    Is there a prayer people motivated by this bounty have the same modicum of class?

  10. Skills by www.sorehands.com · · Score: 3, Insightful

    It may help the "budding CS majors" to build code analysis and debugging skills. Debugging skills are not taught in school.

    --
    Fight Spammers!
    1. Re:Skills by jeff67 · · Score: 4, Interesting

      True, debugging is not on curricula. But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).

    2. Re:Skills by kryptkpr · · Score: 3, Insightful

      Not all debugging methods are created equal.. lots of extra printf calls will only get you so far. I can't count the number of fellow students whom I had to teach to use a debugger in my algorithms class.

      Debugging should definitely be taught in classes.. at least the basics of what a debugger is, how it can help you, and how to compile your program so a debugger can read it and give you source-level breakpoints.

      --
      DJ kRYPT's Free MP3s!
  11. Continuing the Netscape Legacy by Anonymous Coward · · Score: 4, Interesting

    Until fairly recently, Netscape used to have a similar bug bounty program but they offered $1000. So it's really just a continuation of the legacy.

  12. Re:I'll stick my neck out by mytec · · Score: 4, Interesting

    My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

    If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?

  13. Get rich quick by Anonymous Coward · · Score: 5, Funny

    1. Submit buggy software to Mozilla project.

    2. "Find" said bug.

    3. Profit!

  14. Not just MS by krog · · Score: 5, Funny

    What if Slashdot gave $503 for every 503 Service Unavailable?

    Malda and company would be living off ramen and store-brand Mountain Dew in less than a week.

    --
    Cretin - a powerful and flexible CD reencoder
  15. Quick $500 by Bill,+Shooter+of+Bul · · Score: 4, Funny

    I've found a serious flaw in Mozilla. It allows itself to run on Windows, an inherintly insecure platform.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
  16. We will probably never get to see them by bdigit · · Score: 3, Interesting

    Mozilla likes to do security through obsecurity. Dont believe me. Look through the bug reports, any of them that contain any type of security vulnerability and locked down and you are unable to view them. Whats up with that mozilla?

  17. it's entrapment! by Anonymous Coward · · Score: 5, Funny

    Dear pvt medic,

    Thank-you for identifying this IE exploit! The FBI prize patrol should be by shortly with your reward!

    Sincerely,
    Bill Gates

  18. This is just marketing spin... by xxxJonBoyxxx · · Score: 3, Insightful

    The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.

    Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.

    On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.