August 2, 2004 12:37 PM PDT

Mozilla puts bounty on bugs

A string of high-profile flaws in browser software prompted the Mozilla Foundation to announce on Monday that it would offer $500 for every serious bug found by security researchers.

The announcement comes a week after the Mozilla Foundation, which directs development of the Mozilla and Firefox browsers and the Thunderbird e-mail client, confirmed that the group's browsers had two serious issues in dealing with digital certificates, the identity cards of the Internet. Last Friday, Microsoft fixed serious vulnerabilities in its Internet Explorer browser, some of which have been widely known since June.

"Recent events illustrate the need for this type of commitment," Mitchell Baker, president of the Mozilla Foundation, said in a statement. "The (program) will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers."

Linux software maker Linspire and Internet entrepreneur Mark Shuttleworth funded the new initiative, dubbed the Mozilla Security Bug Bounty Program. Linspire seeded the program with $5,000, and Shuttleworth promised to match the first $5,000 in public contributions to the program, the foundation stated.

"We (the Mozilla Foundation) are moving into our second year, and we are going back and reviewing all the programs in place that we had in the past and setting priorities for the next year," said Chris Hofmann, director of engineering for the foundation. "Security is an area that we are serious about, and we wanted to get the ball rolling." He added that the foundation will continue to look for more contributors to the program.

Hofmann said that despite the bugs, Mozilla's security is good. Some critics have maintained that Mozilla's software has at least as many vulnerabilities as Microsoft's and that the only difference between the two applications is that Microsoft is more popular, so more security researchers are trying to break it.

"The conventional wisdom is that if Mozilla had the same market share as Microsoft, we would have as many flaws found--we don't see that as the case," Hofmann said.

A representative of Microsoft could not immediately be reached for comment.

Few companies have offered rewards for pinpointing software vulnerabilities, and the rewards have almost always been paid by security companies for flaws in other companies' software products. The rewards are generally used by security companies to gain a competitive edge over rivals by having their products recognize more vulnerabilities. The rewards also convince some would-be intruders to give up some of the tricks in their tool kit for quick cash.

However, a $500 reward might not be very enticing--a point Hofmann acknowledges. "We don't have any intentions of increasing that amount," he said. "It is mostly a way to thank people who help us further the security of the product."

Microsoft does not give bounties to bug finders but did start a program that has posted three $250,000 rewards for leads on virus writers.

Currently, the Mozilla Web application--which includes a browser, e-mail, chat program, and Web page editing program--has reached version 1.7. The Mozilla Foundation's Firefox stand-alone browser and Thunderbird e-mail client are close to being complete and are already widely used.

More information on the reward program can be found at The Mozilla Organization's Security Center.

4 comments

Join the conversation!
Add your comment
How to update FireFox?
Ya know I'm no big fan of Internet Imploder but I do like one thing. When I have to apply a sec patch I don't have to reinstall the intire application. AFAIK all the people I've migrated over to firefox over the last year I will now have to revisit to uninstall Firefox .8 or .9 and reinstall the latest version. At least IE you download a couple MB patch , install it, reboot, and you are done.
I think before V1 is officially released the folks at Mozilla need to figure out a better way of doing on the fly updates because this download the 4.7MB update, and go through the motions every time there is a new flaw found and patched is going to wear thin REAL fast with users. No one likes to apply patches but to MS's credit they do it in a relatively painless manner (Until the patch breaks something but that's another discussion for another day.
Posted by Jonathan (832 comments )
Reply Link Flag
You Don't Have To Reinstall
Mozilla should have done a better job of letting people know but you don't have to reinstall the entire application although that wouldn't be a bad idea. The program is only 4 megs.


<a class="jive-link-external" href="http://update.mozilla.org/extensions/moreinfo.php?id=154" target="_newWindow">http://update.mozilla.org/extensions/moreinfo.php?id=154</a>
Posted by Darryl Snortberry (96 comments )
Link Flag
"Bounty" won't work
Although $500 is a nice "token" or appreciation, I'm sure the the organized crime syndicates are more than willing to pay ten times that amount to be able to exploit a day-zero bug.

A bug that can not only allow them to take over a system, but to commit Identity and account fraud as well.

Still, something is still better than nothing.
Posted by Tex Murphy PI (165 comments )
Reply Link Flag
Bug Hunters Hall of Fame
$500 is surely too small an amount of money to get the job of serious bounty hunting to go forward. However, many bounty hunters want glory as well. We need to create A Bug Hunters Hall of Fame which would place the name and picture of the successful hunter and a brief description of his/her work. One year in the Hall should be sufficient except for really extraordinary fixes.
Posted by elallred (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.