Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Bumps Security Bug Bounty To $3,000

Posted by kdawson on from the doing-well-by-doing-good dept.

Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."

14 of 73 comments (clear)

  1. Insulting? by CannonballHead · · Score: 3, Insightful

    Why is it insulting? Maybe it's "too little" but getting money for what most companies don't pay for is insulting?

    Are people really that stuck up? hehe.

    1. Re:Insulting? by sakdoctor · · Score: 2, Funny

      I take all pricing set above or below the true market value to be a PERSONAL insult!
      You insensitive clod.

    2. Re:Insulting? by AHuxley · · Score: 3, Insightful

      Yes for what most post to blogs, forums, mailing lists ect for free its a fair amount esp for any student.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Insulting? by alexmipego · · Score: 2, Insightful

      If you work on something you usually like to get paid. It's considered insulting to pay just 500$ for a bug simply because you can get a much higher paycheck if you sell it on the black market. So, if you're into security research to make money, 500$ is an insult to people's time.

    4. Re:Insulting? by Lunix+Nutcase · · Score: 3, Insightful

      Except that the people who will mostly be discovering these bugs and exploits are not students. They are going to be professionals that can get upwards of $10,000+ depending on the severity of the exploit they find.

    5. Re:Insulting? by Lunix+Nutcase · · Score: 3, Informative

      What entitlement? Finding these major exploits are not easy and can easily take weeks or months or work to uncover. To think that $500 is a sufficient payment to recompense them for their work is a joke. Especially when they can get anywhere from 10 to 100 times that by selling these exploits to the black market.

    6. Re:Insulting? by Lunix+Nutcase · · Score: 3, Insightful

      These researchers don't find the exploits and bugs by reading the source code. They do it by fudging around with the binary while the program is running.

    7. Re:Insulting? by quickOnTheUptake · · Score: 2, Informative

      There is a big difference between a personal check from a legend and a check from a foundation or company. I would frame a check from Knuth; I would cash a check from Mozilla.

      --
      Mod points: Guaranteed to remove your sense of humor.
      Side effects may include gullibility and temporary retardation
    8. Re:Insulting? by gumbi+west · · Score: 2, Informative

      No, Charlie Miller talks about much larger payouts from MS. He said, "I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." here.

    9. Re:Insulting? by Lunix+Nutcase · · Score: 2, Funny

      He may use source code if it's available, which it isn't for IE which has has found exploits in, once he's found something by after doing the fuzzing but I can assure you he doesn't just stare at the source code and go "AHA! A BUFFER OVERFLOW!!".

    10. Re:Insulting? by ewanm89 · · Score: 2, Informative

      Google bounty only applies to chromium, Mozilla bounty applies to all beta, rc and stable releases of all products and services.

  2. The actual criteria by Anonymous Coward · · Score: 5, Informative

    Mozilla also announced that the criteria for 'security bugs' require an attack vector that completely compromises the system from a remote location without internet connection. All other bugs are not treated as 'security' bugs, but rather: 'unwanted features', the bounty for this is of course limited to a 'quit complaining, you got it for free' letter.

    OK, here are the actual criteria, fresh from TFA:

    • Security bug must be original and previously unreported.
    • Security bug must be a remote exploit.
    • Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging./li>
    • Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.
  3. Bad Idea by slasho81 · · Score: 2, Informative

    Giving money for finding bugs is counterproductive. Here's why: http://www.youtube.com/watch?v=AIqtbPKjf6Q

  4. Re:Oblig Dilbert Quote by bunratty · · Score: 2, Informative
    This is the exact reason for the disqualification criterion for the bug bounty

    In concert with those changes, we are also updating the eligibility language to make it clear that Mozilla reserves the right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users.

    --
    What a fool believes, he sees, no wise man has the power to reason away.