Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Bumps Security Bug Bounty To $3,000

Posted by kdawson on from the doing-well-by-doing-good dept.

Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."

73 comments

  1. Insulting? by CannonballHead · · Score: 3, Insightful

    Why is it insulting? Maybe it's "too little" but getting money for what most companies don't pay for is insulting?

    Are people really that stuck up? hehe.

    1. Re:Insulting? by sakdoctor · · Score: 2, Funny

      I take all pricing set above or below the true market value to be a PERSONAL insult!
      You insensitive clod.

    2. Re:Insulting? by AHuxley · · Score: 3, Insightful

      Yes for what most post to blogs, forums, mailing lists ect for free its a fair amount esp for any student.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Insulting? by CannonballHead · · Score: 1

      Pricing ABOVE true market value is a personal insult, too? Yikes. ;)

    4. Re:Insulting? by CannonballHead · · Score: 1

      Precisely. $3000 is of course more than $500, and Google certainly could afford more ... although, on the other hand, Google has way more products to find bugs in, etc. Anyways, the whiff of "entitlement" in that statement seems strong to me.

    5. Re:Insulting? by gad_zuki! · · Score: 1

      I think "insulting" is code for "the market value of this vulnerability is much higher. I'd rather sell it to buyer other than Mozilla." In other words, most ethics are based in economics. Its easy to do good when there's money involved in doing so.

    6. Re:Insulting? by alexmipego · · Score: 2, Insightful

      If you work on something you usually like to get paid. It's considered insulting to pay just 500$ for a bug simply because you can get a much higher paycheck if you sell it on the black market. So, if you're into security research to make money, 500$ is an insult to people's time.

    7. Re:Insulting? by Lunix+Nutcase · · Score: 3, Insightful

      Except that the people who will mostly be discovering these bugs and exploits are not students. They are going to be professionals that can get upwards of $10,000+ depending on the severity of the exploit they find.

    8. Re:Insulting? by Goaway · · Score: 1

      The companies may not pay for it, but that does not mean there are not others who will pay.

    9. Re:Insulting? by HungryHobo · · Score: 1

      meh, I'm student and a comp sci grad and I almost certainly won't find anything but that figures enough that I'll be spending a few evenings this week examining the firefox source code.

    10. Re:Insulting? by Lunix+Nutcase · · Score: 3, Informative

      What entitlement? Finding these major exploits are not easy and can easily take weeks or months or work to uncover. To think that $500 is a sufficient payment to recompense them for their work is a joke. Especially when they can get anywhere from 10 to 100 times that by selling these exploits to the black market.

    11. Re:Insulting? by Lunix+Nutcase · · Score: 3, Insightful

      These researchers don't find the exploits and bugs by reading the source code. They do it by fudging around with the binary while the program is running.

    12. Re:Insulting? by n6mod · · Score: 1

      But to make tens of thousands on the black market, you really need a weaponized exploit. Mozilla will be quite happy with a detailed bug report.

      --
      You have violated Robot's Rules of Order and will be asked to leave the future immediately.
    13. Re:Insulting? by robmv · · Score: 1

      maybe that means... "I have a lot of money to waste and you not" jaja

    14. Re:Insulting? by CannonballHead · · Score: 1

      Maybe they aren't catering to those types of people?

    15. Re:Insulting? by Lunix+Nutcase · · Score: 1

      They aren't catering to security researchers? Who else are they supposed to be catering to?

    16. Re:Insulting? by Dare+nMc · · Score: 1

      It's considered insulting to pay just 500$ for a bug

      Donald Knuth used to pay $2.56 per bug found in his programming books, the recognition was more valuable than the amount and most people would frame the checks and never cash, as a matter of pride "I was recognized."
      So getting a acknowledgment of finding a bug +value, getting significant money as well ++ value. Not worrying about selling your bug to people who might kill you if they think you screwed them or turned them in, and not worrying if the FBI, etc will throw you in jail for breaking laws... priceless.

    17. Re:Insulting? by Anonymous Coward · · Score: 0

      Right. By setting the price low, they motivate the altruistic and well-intended researchers without attracting increased attention from those who have less favourable motives. A researcher whose personal business model includes finding ways to screw Mozilla is unlikely to flip for a simple fee increase alone.

    18. Re:Insulting? by CannonballHead · · Score: 1

      Already-known professional security researchers are the only ones that can provide these? Maybe they are trying to get young whipper-snappers.

    19. Re:Insulting? by alexmipego · · Score: 1

      Finding a bug in a book is a matter of reading, proof reading and testing every example on the book to see if it works well. You could say it's an exact science because you can simply define a couple rules and follow them until you find a small mistake.

      Finding a bug on a software isn't that simple. For starters there are millions of lines of code and unlike books a single line can affect millions of other line's logic paths/assumptions/etc. There is no single method you can apply to find a bug and that's why security research is so hard.

      No matter how good a security researcher you are, you can never be 100% sure before hand that you can find a bug. Add that to the fact that the rules usually are something like "Critical Bugs only" and you've very few chances of success.

      If you're not being paid a steady check to work on something like Mozilla or Chrome, chances are that 500$ isn't enough to make you learn their code, test and find something that you might never even find.

    20. Re:Insulting? by xouumalperxe · · Score: 1

      Would those younger whipper-snappers not be able to get more than 500$ on the black market, then?

    21. Re:Insulting? by quickOnTheUptake · · Score: 2, Informative

      There is a big difference between a personal check from a legend and a check from a foundation or company. I would frame a check from Knuth; I would cash a check from Mozilla.

      --
      Mod points: Guaranteed to remove your sense of humor.
      Side effects may include gullibility and temporary retardation
    22. Re:Insulting? by mots · · Score: 1

      Similarly, google pays $1337 for particularly severe or particularly clever bugs.

    23. Re:Insulting? by Dare+nMc · · Score: 1

      Finding a bug on a software isn't that simple. For starters there are millions of lines of code

      That is likely true for fixing a bug. No where did it say you had to find the line of code, that causes the issue. But finding a bug in software, when you have the software, and say it was free software so anyone could use it... Then the difficulty in finding a bug could be as simple as downloading a copy of Mozilla and using it.
      Similar to this security issue bounty, his bounty wasn't for grammer, it was for finding a significant issue. Most likely this $500 gives enough incentive to pay for the time spent after discovering something, to see if it's repeatable, document, submit, and answer questions...

    24. Re:Insulting? by alexmipego · · Score: 1

      That's true if you're the casual finder, but not if you live of security research.

      I do know it isn't as simple as looking at the code and sometimes you don't even do that, the point was that finding a bug on something as widely tested and used and a browser isn't as simple as proof-reading a book.

    25. Re:Insulting? by gumbi+west · · Score: 1

      Do you mean besides Charlie Miller frequent pwn2own winner? He uses fuzzers and source code, and even reverse engineers binaries.

    26. Re:Insulting? by gumbi+west · · Score: 2, Informative

      No, Charlie Miller talks about much larger payouts from MS. He said, "I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." here.

    27. Re:Insulting? by Lunix+Nutcase · · Score: 2, Funny

      He may use source code if it's available, which it isn't for IE which has has found exploits in, once he's found something by after doing the fuzzing but I can assure you he doesn't just stare at the source code and go "AHA! A BUFFER OVERFLOW!!".

    28. Re:Insulting? by gumbi+west · · Score: 1

      No, I think the $500 offered by google is insulting because it's like offering some $10 to clean your house when it would cost them more than that to drive there. Interestingly, people don't seem to mind that much when the price is like $1 million, i.e. DARPA has given prizes of this size and the winner has spent six times that (not to mention all the looser) but I think if DARPA didn't want to offer the $1 million, they would be better off offering nothing than, i.e. $50, because the nothing suggests that it was a difficult prize to price, or that winning it was its own substantial reward, while $50 suggests that the prize wasn't worth that much--it would be an insult to the winner.

    29. Re:Insulting? by ewanm89 · · Score: 2, Informative

      Google bounty only applies to chromium, Mozilla bounty applies to all beta, rc and stable releases of all products and services.

    30. Re:Insulting? by CannonballHead · · Score: 1

      That is another argument... but in that case, Google is stupid, not insulting. If you want to argue that route, I may agree with you.

    31. Re:Insulting? by ArsonSmith · · Score: 1

      So the solution is to write a book about Firefox?

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    32. Re:Insulting? by ewanm89 · · Score: 1

      If the source is available, they'll also read through it. It's quite possible that they'll notice something someone else didn't especially if 1) they didn't write the code and 2) they know the kinds of things they are looking for. When code is not available a common step is to disassemble the code and to start to reverse engineer it.

      Automatic fuzzers and exploit testers seldom provide results as 1) vendors can and generally do run such tests themselves and 2) they only test for the particular cases they are programmed to look for, not new slightly more obscure cases.

    33. Re:Insulting? by ewanm89 · · Score: 1

      No, someone else can weaponise it easily, have you seen the way metasploit works? It takes little common exploit and common payload and sticks them together into one weaponised exploit.

    34. Re:Insulting? by ArsonSmith · · Score: 1

      But $500 was the market value. That was the most that the Moz foundation was willing to pay for sec bugs.

      They got a bunch of the low hanging fruit with that.

      Now at $3k they'll get the next harder sec bugs reported and fixed, as well as paying out some more money for fewer bugs.

      At some point I bet they'll raise it again to maybe $10k, $20k, $100k as they find and nail down all security problems. Wasn't Tex or LaTex or something done in a similar way as well?

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    35. Re:Insulting? by ewanm89 · · Score: 1

      No, but they are more likely to let mozilla know about the exploit than stick it into the blackmarket, the fact that if they find something that gains access to mozilla's employee database or somesuch they may still screw with it, that's something else entirely.

    36. Re:Insulting? by ewanm89 · · Score: 1

      He still does, (figuratively, anyway, it's now a hall of fame on his website). He did it for TeX too, the key is his pricing scheme with TeX was such that the next bug would be exponentially more expensive, as that way as there were less bugs left to find so he payed more for finding them. However as TeX is now in several different implementations that aren't maintained by Knuth, he nolonger needs to worry about the TeX ones.

    37. Re:Insulting? by b4dc0d3r · · Score: 1

      while you can make an argument that you are technically correct, "upwards of $10,000" is pretty misleading, "less than $5000" would be a better figure.

      Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."

      http://tech.slashdot.org/story/10/05/21/2134236/How-To-Go-Broke-Selling-Zero-Day-Exploits?from=rss

    38. Re:Insulting? by General+Wesc · · Score: 1

      The Cost of Social Norms.

    39. Re:Insulting? by Tubal-Cain · · Score: 1

      I admit I don't know much about it, but I don't get the impression that TeX support as much of a moving target as Web browser security/UI/standards/etc. What massive changes has LaTeX needed to undergo these last few years in order to stay relevant? Mozilla has improved their Acid3 support, deal with security vulnerabilities that will never apply to LaTeX, added Theora support for the tag, they're probably working on the rest of HTML5, they're changing to a Chrome-like UI, they're overhauling their plugin system...so much opportunity for "trivial" bugs.

    40. Re:Insulting? by darthflo · · Score: 1

      You're probably thinking of these. Not quite $3000, but 0x$1 is a start.

  2. Many eyes make all bugs shallow...not by Anonymous Coward · · Score: 1, Funny

    <nt>

  3. The actual criteria by Anonymous Coward · · Score: 5, Informative

    Mozilla also announced that the criteria for 'security bugs' require an attack vector that completely compromises the system from a remote location without internet connection. All other bugs are not treated as 'security' bugs, but rather: 'unwanted features', the bounty for this is of course limited to a 'quit complaining, you got it for free' letter.

    OK, here are the actual criteria, fresh from TFA:

    • Security bug must be original and previously unreported.
    • Security bug must be a remote exploit.
    • Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging./li>
    • Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.
    1. Re:The actual criteria by Anonymous Coward · · Score: 0

      ooh, so they omit the massive security hole of their plugin approval process

  4. Knuth by mandelbr0t · · Score: 1

    It worked for him; the cheque from him was worth far more than the value printed on it. I think that offering rewards for disclosure can only lead to better code. Microsoft hasn't yet implemented this method as they would rapidly go broke.

    --
    "Please describe the scientific nature of the 'whammy'" - Agent Scully
  5. Re:In related news... by Chapter80 · · Score: 1, Informative

    4 Insightful?

    Did you mods even read this? Completely compromises the system from a remote location without internet connection?

    Cmon!

  6. Find and recreate can take time by bzipitidoo · · Score: 1

    As an example, text box input of Firefox used to have some bad bugs I never did track down, though I tried. After much editing and jumping about in the text box, sometimes using backspace would erase the wrong character. Would remove a character at the end of a line several lines above the cursor. Tried to recreate the bug with sequences of keystrokes I guessed might cause it, but no luck. I thought of buying a keylogger so I could capture the keystrokes the next time it happened. But that was getting to be more work than I was willing to do for free, so I never did. Haven't seen that bug in a long time, so I suppose it was inadvertently fixed when rewriting parts of Firefox.

    Understandably, developers have this attitude that if it can't be easily recreated, it's not worth hunting down, or the persons who noticed the problem should hunt it down themselves. After all, it could be a PEBKAC. Often a bug like that isn't worth chasing down. What such a bug shows is that the code that handles text input is garbage and ought to be rewritten from scratch, and I think that is what eventually happened.

    --
    Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
  7. Re:In related news... by PseudonymousBraveguy · · Score: 1

    Mozilla has a history of paying those bounties, why should that change? Have I missed that they are somehow evil now?

  8. Que the... by NetNed · · Score: 1

    "It's not a bug, it's a feature!"

    1. Re:Que the... by Anonymous Coward · · Score: 0

      No, you mean "Cue the..."

  9. Bad Idea by slasho81 · · Score: 2, Informative

    Giving money for finding bugs is counterproductive. Here's why: http://www.youtube.com/watch?v=AIqtbPKjf6Q

    1. Re:Bad Idea by bunratty · · Score: 1

      That video explains why giving a low amount such as $500 is counterproductive. Paying a fair amount of money for security research is compensating people for the time and effort for finding and reporting the bug. As an example from the video, it's like giving someone $50, a fair amount, to change your tire instead of $1, which is an insulting amount.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:Bad Idea by slasho81 · · Score: 1

      You completely missed the point. It's about the social contract.

    3. Re:Bad Idea by bunratty · · Score: 1

      We don't have a social contract with Mozilla. It's a corporation. Do you build a social relationship with Mozilla so it can help you in times of distress? It sounds like you missed the point.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    4. Re:Bad Idea by TravisO · · Score: 1

      Dan is talking about paying money as a routine, like a salary. The security exploit pay is like a reward, you don't get paid for the effort, anybody can make the effort but only 1% of the people who would try are capable of finding a real security hole. The effect doesn't apply.

    5. Re:Bad Idea by Anonymous Coward · · Score: 0

      Did you even watch the video?

    6. Re:Bad Idea by dveditz · · Score: 1

      A public benefit corporation wholly owned by a non-profit foundation. If you don't think this approach furthers the mission please let us know.

    7. Re:Bad Idea by bunratty · · Score: 1

      I think it does further the mission. Giving $3000 per security bug is not counterproductive because security researchers do not have a social contract with Mozilla. Mozilla will not give us a ride to work if our car breaks down. Mozilla giving $3000 for a security bug is not like giving your mother-in-law money for Thanksgiving dinner for this reason.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    8. Re:Bad Idea by sunwolf · · Score: 1

      ....aaaaand more: http://www.youtube.com/watch?v=u6XAPnuFjJc

    9. Re:Bad Idea by bunratty · · Score: 1

      I don't see how that applies in this situation, either. Mozilla is not paying people to specifically look for security problems in Firefox. The security researchers do whatever they want -- they're autonomous, doing the research they want to do for their own motivation. If during their work they happen to find a bug in Mozilla, this makes it easy for them to do the right thing and report the problem to Mozilla first, before someone else finds the problem.

      According to the video, if they employed security researchers to specifically look for security bugs in Firefox, it would not work to give them a large bonus for each security bug found. That's not what they're doing, though.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    10. Re:Bad Idea by BZ · · Score: 1

      This isn't money for finding bugs. This is money for, once you have found a bug, reporting it to Mozilla as opposed to selling it on the black market or just posting it on your blog so as to 0-day users.

      That is, the assumption is that people are looking for bugs and are perhaps finding them. The bounty is to convince them to do things _after_ that in a way that does minimal harm to Mozilla's user.

  10. and sitting in front of my computer by nimbius · · Score: 1

    right now using firefox, all i can think is not about how much the firefox team would be glad to receive my find, but how amazed the pub will be when I start my $3000 tab for top shelf microbrews!

    --
    Good people go to bed earlier.
  11. Oblig Dilbert Quote by Spikeorama · · Score: 1

    I need to sign up to work on Mozilla products! Boss: "Our goal is to write bug free software. I'll pay a ten-dollar bonus for every bug you find and fix. I hope this drives the right behavior." Wally: "I'm gonna write me a new minivan this afternoon!"

    1. Re:Oblig Dilbert Quote by bunratty · · Score: 2, Informative
      This is the exact reason for the disqualification criterion for the bug bounty

      In concert with those changes, we are also updating the eligibility language to make it clear that Mozilla reserves the right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
  12. $10,000 per flaw by AthleteMusicianNerd · · Score: 1

    Is what it would take to get me to look at it.

  13. Re:In related news... by gumbi+west · · Score: 1

    The /. editors have infinite mod points and can add more than 1 to a comment. Usually when I see a way out of bounds mod like this that then gets corrected back to reality I wonder if the editor was just being a tool. But since we can't see editor mods separately so you never do know, maybe early birds are just different moderators than late comers.

  14. Re: better idea for $3,000 per bug by Anonymous Coward · · Score: 0

    Bounty systems are totally worthless. At most one person gets paid for the concurrent labor of dozens of people trying to "win" the contest; meanwhile they're all out the time they spent working for free. If it takes a skilled person a week and a half to find a bug, and the person is guaranteed to receive compensation for the work involved in finding the bug, then the discovery of the bug is worth about $3,000. However, if ten people are competing for the same jackpot, then the total work done is worth $30,000. All but one of those people are probably going to miss a mortgage payment.

    Better idea: Offer to pay smart people $400 per day to audit source code. Bring in 7 people per day, so you're paying $2,800 per day. Because the people are all working together and being directed to problem areas by management, they'll be able to work efficiently in parallel, and you'll end up getting a week and a half worth of work done every day, and on average the team will discover a bug every day. Give the person who finds the bug a $200 bonus, and bring them all back tomorrow. Total: $3,000 per bug (average).

  15. Re: better idea for $3,000 per bug by Anonymous Coward · · Score: 0

    and you wouldn't even need to get out of bed to do it!

  16. Re:FP by Anonymous Coward · · Score: 0

    67th post, bitches!

  17. microsoft bug fix by helix2301 · · Score: 1

    Microsoft would never do this they would get hackered apart worse then they do now with virus and spyware problems. There PR department would be out of control busy. Plus Microsoft patch team would have to be doubled in staff. Patch Tuesday would be every Tuesday.

    --
    http://www.thetechnologygeek.org
  18. Where are they getting the money? by tjstork · · Score: 1

    Just curious, but who is donating bucks to Mozilla?

    --
    This is my sig.