March 31, 2005 12:19 PM PST

Bug hunter gets bounty from Mozilla

The Mozilla Foundation has given $2,500 to a security researcher for discovering vulnerabilities in its free Web browser.

The group paid $500 to German researcher Michael Krax for each of the five bugs he found in Firefox.

"We developed the bug bounty program to encourage and award community members who identify unknown bugs in the software," said Chris Hofmann, director of engineering for the Mozilla Foundation. "This program is one of the many ways the Mozilla Foundation produces safe and secure software for its users."

The bugs relate to chrome privileges--a mechanism that allows applications to change user interface details of the browser itself. If abused, this function could alter the 'Home' button, for example, to make it download malicious programs.

Last week, Mozilla issued an update to the browser, version 1.02, that patched a buffer overflow in legacy Netscape code still included in the browser for animating GIF images in Firefox.

Mozilla is one of the few organizations to offer financial incentives to people who find vulnerabilities. Microsoft, which charges for its products and regularly asks the user community to test beta versions of its software, has no such scheme.

A representative for Microsoft said: "We don't pay people to fix bugs, but there are other ways we try to fix security as much as possible. But we can't comment on what Mozilla does."

Microsoft also highlighted its cash reward scheme for informants who help law enforcement agencies to convict virus writers.

Dan Ilett of ZDNet UK reported from London.

4 comments

Join the conversation!
Add your comment
Who are they kidding?
"A representative for Microsoft said: "We don't pay people to fix bugs, but there are other ways we try to fix security as much as possible. But we can't comment on what Mozilla does.""

Microsoft relies on third parties to find their bugs, then quite often trashes them for doing it or just denies that the flaw exists for a few months.

If MS paid $500 per bug found by third parties they would have gone out of business around 2000.
Posted by Bill Dautrive (1179 comments )
Reply Link Flag
Since you are in the know...
You sound as if you are familiar with MS software testing processes. Since you know so much about their process for finding bugs, why don't you clue the rest of us in.

Microsoft has people on SALARY who fix bugs. Customers and partners are happy to evaluate Betas because they have large-scale deployments of Windows and it is in their interest to test in their environment before implementing. It is nice that MS will let partners test software before it is finished, and it is great that partners want to test.

In contrast, Mozilla had to offer $500 for each bug found... as incentive. Without the cash, would those bugs have been found this year? Next year? Who knows. The article states that one such bug is as old as earlier versions of Netscape.

What would be interesting, would be to find out how long it took this guy to find those bugs. At $500 per bug, it would be a waste of time for a good developer to spend more than 6 to 10 hours on a bug. That is.... if you are trying to make a living in a world where software companies actually pay salary and benefits for people to do this full time... $500 sounds pretty cheap to me.
Posted by David Arbogast (1709 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.