Mozilla hikes Firefox bug bounties to US$3K

Increases payment for reported vulnerabilities six-fold

Mozilla on Thursday boosted bug bounty payments six-fold by increasing the standard cash award to US$3,000.

The new bounty for vulnerabilities in Firefox, Firefox Mobile and Thunderbird is also six times the normal payment by Google for flaws in its Chrome browser, and more than double the maximum US$1,337 that Google pays for the most severe bugs.

Mozilla and Google are the only browser makers that pay security researchers for reporting vulnerabilities in their products.

"A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," said Lucas Adamski, director of security engineering. Mozilla kicked off its bounty program in August 2004 .

Only bugs that Mozilla ranks "crucial" or "high" -- its top two ratings -- are eligible for payment. In Mozilla's hierarchy, critical vulnerabilities are those that allow remote code execution; in other words, ones that when exploited give the attacker full control of the machine. High vulnerabilities are those that expose "high-value" personal information, such as usernames, passwords and credit card numbers. Denial-of-service flaws are not eligible for a bounty, Mozilla said.

Google launched its own cash-for-flaws program in January 2010, paying $500 for most bugs. Some vulnerabilities, however, earn their discoverer US$1,000, or even US$1,337, the latter given only to bugs that Chrome's team judge's "particularly severe or particularly clever."

The last time Google paid bounties was July 2, when it handed out $2,500 to a pair of researchers for reporting four vulnerabilities.

Adamski announced several other changes to Mozilla's bounty program on the Mozilla security blog Thursday .

Bugs in the Mozilla Suite, which the Mozilla Foundation dropped in 2005 -- will no longer be eligible for bounties, said Adamski. But vulnerabilities in Firefox Mobile, Mozilla's mobile browser, as well as any Mozilla services that Firefox or Thunderbird rely on for safe operation, are eligible.

Mozilla also added new language to its reward policy that gives it some new flexibility.

"Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla's end users," the revised guidelines now state.

Adamski noted that change in his blog posting, but did not elaborate. Mozilla did not immediately reply to questions early Friday.

Researchers may have questions for Mozilla about the new language, since the FAQ for the bounty program says that they don't have to wait for patches to be built and applied to, say, Firefox before they go public with their information.

"If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?" the FAQ asks. Mozilla's answer: "No. We're rewarding you for finding a bug, not trying to buy your silence."

Other bug bounty programs, particularly HP TippingPoint's and VeriSign iDefense's, not only pay more than either Mozilla or Google -- they are secretive about their payment structures, though -- but require researchers to keep mum until the vulnerability they've reported is patched.

That may change: Both TippingPoint and iDefense appear to rethinking their policies.

In mid-June, Aaron Portnoy , security research team lead at TippingPoint, tweeted, "Spender's post makes me want to enforce a hard deadline for vendors to patch. If not, ZDI drops the bug anyway. It's oddly safer that way." Portnoy's reference was to a long message posted by Brad Spender on the "Dailydave" security mailing list, in which he took Microsoft and several publications, including Computerworld to task for linking Tavis Ormandy, a researcher who publicly disclosed a critical vulnerability in Windows XP just days after reporting it, to his employer, Google.

After Portnoy tweeted his comment, TippingPoint declined further comment.

Two weeks ago, iDefense chimed in. "We should carefully watch and respond to the recent change in vulnerability disclosure trends," the company Twitter account broadcast.

The tweets from TippingPoint and iDefense seem to be a reaction to the controversy over Ormandy's disclosure of a Windows Help and Support Center bug on June 10, five days after he reported it to Microsoft. His disclosure set off a heated debate between researchers, with some security researchers critical and others supportive. Microsoft patched the flaw last Tuesday in its July security updates.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags browsersGooglesoftwareapplicationsmozillaMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?