Mozilla Ramps Up Vulnerability Reward Program

$3,000 now paid for every eligible bug and new products covered

  Mozilla offers $3,000 reward for every remotely exploitable high or critical bug
Mozilla announces that it has brought its security bounty program in line with the new economic times and has increased the reward paid to researchers for eligible security bugs from $500 to $3,000. It has also officially added Firefox Mobile and other Mozilla services to the list of products covered by the program.

Mozilla launched its Security Bug Bounty Program back in 2004 with support from former OEM Linux distributor Linspire and Mark Shuttleworth, a well known Internet entrepreneur and founder of Canonical, the company behind the popular Ubuntu Linux operating system. The idea for the program came from a similar project run at Netscape in the '90s.

Mozilla used to reward researchers with $500 for every remotely exploitable bug discovered that was determined to be critical or high according to its own severity ratings. In general, critical bugs are the ones allowing for arbitrary code execution on users' systems, while high ones are those leading to the exposure of highly-sensitive information.

“For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,” an announcement posted on the Mozilla Security blog reads.

In the past, the program used to cover only beta and stable versions of Firefox and Thunderbird. However, the organization has now added official support for the Firefox Mobile, as well as any other Mozilla service that has security implications for those products.

The authors of the buggy code or Mozilla Foundation employees can't qualify for receiving a reward and the organization reserves its right to disqualify any researcher whose actions negatively impact its user base. That doesn't mean that Mozilla will stop rewarding publicly disclosed bugs, for which the policy remains the unchanged.

“We hope other organizations will match our program and actively support constructive security research,” Lucas Adamski, Mozilla's director of security engineering, says. Google is one of the other companies who offers money for bugs. The Internet giant pays between $500 and $1,337 for vulnerabilities found in its Chrome browser.

You can follow the editor on Twitter @lconstantin

Comments

By    16 Jul 2010, 08:16 GMT