Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Bumps Security Bug Bounty To $3,000

Posted by kdawson on from the doing-well-by-doing-good dept.

Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."

6 of 73 comments (clear)

  1. Insulting? by CannonballHead · · Score: 3, Insightful

    Why is it insulting? Maybe it's "too little" but getting money for what most companies don't pay for is insulting?

    Are people really that stuck up? hehe.

    1. Re:Insulting? by AHuxley · · Score: 3, Insightful

      Yes for what most post to blogs, forums, mailing lists ect for free its a fair amount esp for any student.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Insulting? by Lunix+Nutcase · · Score: 3, Insightful

      Except that the people who will mostly be discovering these bugs and exploits are not students. They are going to be professionals that can get upwards of $10,000+ depending on the severity of the exploit they find.

    3. Re:Insulting? by Lunix+Nutcase · · Score: 3, Informative

      What entitlement? Finding these major exploits are not easy and can easily take weeks or months or work to uncover. To think that $500 is a sufficient payment to recompense them for their work is a joke. Especially when they can get anywhere from 10 to 100 times that by selling these exploits to the black market.

    4. Re:Insulting? by Lunix+Nutcase · · Score: 3, Insightful

      These researchers don't find the exploits and bugs by reading the source code. They do it by fudging around with the binary while the program is running.

  2. The actual criteria by Anonymous Coward · · Score: 5, Informative

    Mozilla also announced that the criteria for 'security bugs' require an attack vector that completely compromises the system from a remote location without internet connection. All other bugs are not treated as 'security' bugs, but rather: 'unwanted features', the bounty for this is of course limited to a 'quit complaining, you got it for free' letter.

    OK, here are the actual criteria, fresh from TFA:

    • Security bug must be original and previously unreported.
    • Security bug must be a remote exploit.
    • Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging./li>
    • Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.