Mozilla offers $3,000 for bug reports

Starting the 1st of this month, the Mozilla Foundation will reward users who discover and report security vulnerabilities in its software with $3,000 for each vulnerability. Until now the reward, distributed under the Mozilla Security Bug Bounty Program which launched in 2004, has been limited to just $500. Bug finders can now also look forward to receiving a free T-shirt as part of the scheme. Eligible security vulnerabilities must be remotely exploitable (over the web or a local network) and not previously have been publicly documented.

The campaign is limited to the latest version of Firefox, Thunderbird, Firefox Mobile and any other Mozilla service which could allow a hostile takeover of any of these applications. Bugs in third party software such as browser add-ons (also known as extensions) and plug-ins are not eligible.

To prevent dodgy dealings, developers who have contributed to a part of the source code containing a particular bug are excluded from the scheme, as are Mozilla staff members. Linspire and Mark Shuttleworth, the man behind Canonical and Linux distribution Ubuntu, have provided the initial capital for the scheme.

The increased value of the reward is a reaction to developments in the security industry. There has long been a market for previously undiscovered vulnerabilities. Not only are reputable security companies such as TippingPoint and VeriSign interested in them, but vulnerabilities also represent valuable assets for those with criminal intent.

Google has been following the example set by Mozilla since the start of this year and rewarding users who discover previously unknown security vulnerabilities with $500. In particularly serious cases, Google bumps the reward up to $1,337. However, Google is not (yet) offering T-shirts.

See also:

• Refresh of the Mozilla Security Bug Bounty Program, a Mozilla Security Blog post.
• Google invites attacks on Chrome, a report from The H.

(crve)