March 31, 2005 12:19 PM PST
Bug hunter gets bounty from Mozilla
- Related Stories
PC Forum: From Firefox security to outer spaceMarch 23, 2005
Firefox add-on lets surfers tweak sites, but is it safe?March 23, 2005
Mozilla fixes risky Firefox flawMarch 23, 2005
Mozilla: We're more secure than MicrosoftMarch 22, 2005
Can Firefox outfox IE in browser wars?March 14, 2005
The group paid $500 to German researcher Michael Krax for each of the five bugs he found in Firefox.
"We developed the bug bounty program to encourage and award community members who identify unknown bugs in the software," said Chris Hofmann, director of engineering for the Mozilla Foundation. "This program is one of the many ways the Mozilla Foundation produces safe and secure software for its users."
The bugs relate to chrome privileges--a mechanism that allows applications to change user interface details of the browser itself. If abused, this function could alter the 'Home' button, for example, to make it download malicious programs.
Last week, Mozilla issued an update to the browser, version 1.02, that patched a buffer overflow in legacy Netscape code still included in the browser for animating GIF images in Firefox.
Mozilla is one of the few organizations to offer financial incentives to people who find vulnerabilities. Microsoft, which charges for its products and regularly asks the user community to test beta versions of its software, has no such scheme.
A representative for Microsoft said: "We don't pay people to fix bugs, but there are other ways we try to fix security as much as possible. But we can't comment on what Mozilla does."
Microsoft also highlighted its cash reward scheme for informants who help law enforcement agencies to convict virus writers.
Dan Ilett of ZDNet UK reported from London.
4 commentsJoin the conversation! Add your comment