- Related Stories
-
PC Forum: From Firefox security to outer space
March 23, 2005 -
Firefox add-on lets surfers tweak sites, but is it safe?
March 23, 2005 -
Mozilla fixes risky Firefox flaw
March 23, 2005 -
Mozilla: We're more secure than Microsoft
March 22, 2005 -
Can Firefox outfox IE in browser wars?
March 14, 2005
The group paid $500 to German researcher Michael Krax for each of the five bugs he found in Firefox.
"We developed the bug bounty program to encourage and award community members who identify unknown bugs in the software," said Chris Hofmann, director of engineering for the Mozilla Foundation. "This program is one of the many ways the Mozilla Foundation produces safe and secure software for its users."
The bugs relate to chrome privileges--a mechanism that allows applications to change user interface details of the browser itself. If abused, this function could alter the 'Home' button, for example, to make it download malicious programs.
Last week, Mozilla issued an update to the browser, version 1.02, that patched a buffer overflow in legacy Netscape code still included in the browser for animating GIF images in Firefox.
Mozilla is one of the few organizations to offer financial incentives to people who find vulnerabilities. Microsoft, which charges for its products and regularly asks the user community to test beta versions of its software, has no such scheme.
A representative for Microsoft said: "We don't pay people to fix bugs, but there are other ways we try to fix security as much as possible. But we can't comment on what Mozilla does."
Microsoft also highlighted its cash reward scheme for informants who help law enforcement agencies to convict virus writers.
Dan Ilett of ZDNet UK reported from London.
See more CNET content tagged:
Mozilla Corp.,
bug,
researcher,
Web browser,
Firefox
- Who are they kidding?
-
by Bill Dautrive
April 2, 2005 12:31 PM PST
- "A representative for Microsoft said: "We don't pay people to fix bugs, but there are other ways we try to fix security as much as possible. But we can't comment on what Mozilla does.""
-
Reply to this comment
-
-
- Since you are in the know...
-
by David Arbogast
April 3, 2005 12:20 PM PDT
- You sound as if you are familiar with MS software testing processes. Since you know so much about their process for finding bugs, why don't you clue the rest of us in.
-
View
all 2 replies
-
(4 Comments)Microsoft relies on third parties to find their bugs, then quite often trashes them for doing it or just denies that the flaw exists for a few months.
If MS paid $500 per bug found by third parties they would have gone out of business around 2000.
Microsoft has people on SALARY who fix bugs. Customers and partners are happy to evaluate Betas because they have large-scale deployments of Windows and it is in their interest to test in their environment before implementing. It is nice that MS will let partners test software before it is finished, and it is great that partners want to test.
In contrast, Mozilla had to offer $500 for each bug found... as incentive. Without the cash, would those bugs have been found this year? Next year? Who knows. The article states that one such bug is as old as earlier versions of Netscape.
What would be interesting, would be to find out how long it took this guy to find those bugs. At $500 per bug, it would be a waste of time for a good developer to spend more than 6 to 10 hours on a bug. That is.... if you are trying to make a living in a world where software companies actually pay salary and benefits for people to do this full time... $500 sounds pretty cheap to me.