Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Bug The Almighty Buck

Mozilla Starts Bug Bounty Program 194

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."
This discussion has been archived. No new comments can be posted.

Mozilla Starts Bug Bounty Program

Comments Filter:
  • microsoft (Score:5, Funny)

    by pvt_medic ( 715692 ) on Monday August 02, 2004 @11:18AM (#9863164)
    if microsoft did this they go bankrupt in a week


    obligatory jab at microsoft
  • by Anonymous Coward on Monday August 02, 2004 @11:18AM (#9863167)
    mozilla.org offers a $500 bounty for discovering "critical" [mozilla.org] security holes, while Mircosoft offers [cnn.com] a $250,000 bounty for catching virus authors.
  • I think this is a great idea, and that it will help mozilla become a lot more secure (and pretty fast I might add)
    • Yes, I would agree with that. Did you notice how quickly the last Mozilla hole was fixed, and how small, in fact tiny (1kb), the download was to fix it?

      I have used Mozilla, and before it, Netscape for almost all browsing for a long time now, and simply do not get the problems that IE users get.

    • ...the rendering bug I've had with Firefox since... well... forever! Only on Slashdot - for the disbelievers I've slapped a couple of screenshots up here [demon.co.uk]. These are with the latest STABLE release, not a nightly bugfest, BTW...
      • I'm not that bothered about it myself, but I agree it does exist! I think some installs are affected more than other though - I'm sure my 0.8 install was okay, but I'm currently running 0.9.1 (patched) on Win2K and it is rendering /. strangely.

        The work around is to increase and decrease the font size (ctrl + then ctrl -).
      • The bug (217527) is not fixed in Firefox branch nightlies either, but it's "plussed" for Firefox 1.0 PR, so you can expect it to be fixed. See bug 217527 and bug 246382 (a regression caused by the fix for bug 217527) for details.
  • by NoMercy ( 105420 ) on Monday August 02, 2004 @11:18AM (#9863174)
    A few days ago you might remember someone who created an article on the vunribilities of a fake browser being made in a empty window using XUL...

    Guess he's 500 dolars down for blowing the whistle a week early :)
    • by Anonymous Coward
      The initial bug report was made almost three years ago, marked confidential, and ignored. He was far too late to claim the bounty on that particular bug.
  • by Anonymous Coward on Monday August 02, 2004 @11:19AM (#9863178)
    Microsoft puts bounty $5,000 on head of anyone uncovering IE security flaws.
  • by jsimon12 ( 207119 ) on Monday August 02, 2004 @11:19AM (#9863180) Homepage
    Cause we could go ahead and program ourselves a couple new minivans this evening ;) (yes I know Wally from Dilbert said it before I did, but this just seemed like the perfect time to use it)
  • This will give all budding CS majors (and lazy security geeks) a reason to hunt for bugs, other than being inquisitive.
    • Skills (Score:3, Insightful)

      It may help the "budding CS majors" to build code analysis and debugging skills. Debugging skills are not taught in school.
      • Re:Skills (Score:5, Interesting)

        by jeff67 ( 318942 ) on Monday August 02, 2004 @11:44AM (#9863344)
        True, debugging is not on curricula. But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).
        • Re:Skills (Score:4, Insightful)

          by kryptkpr ( 180196 ) on Monday August 02, 2004 @11:56AM (#9863429) Homepage
          Not all debugging methods are created equal.. lots of extra printf calls will only get you so far. I can't count the number of fellow students whom I had to teach to use a debugger in my algorithms class.

          Debugging should definitely be taught in classes.. at least the basics of what a debugger is, how it can help you, and how to compile your program so a debugger can read it and give you source-level breakpoints.
          • Using a debugger without knowing what you are looking for is virtually useless. One needs to apply scientific methods and smart tool related methods.
          • Not all debugging methods are created equal.. lots of extra printf calls will only get you so far.

            That's certainly true, although IME a little work to instrument code properly (via printf or something similar but more powerful/flexible) can go a very long way. We have quite a neat system on the project I currently work on, which basically keeps a stack trace and lets you record diagnostic messages at several levels of priority, and then lets you customise the diagnostic file that's generated based on w

        • But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).

          Right. Just like those full-blown graduates I used to work with would take a week to write a Java text-processing program that could have been written in five minutes with Perl or sed. How about those database tables with things like "Email1" and "Email2"? What about choosing Oracle and Web Logic with full J2EE dressing for a site that has only a few
  • by baby_head_rush ( 131448 ) on Monday August 02, 2004 @11:19AM (#9863188) Homepage Journal
    Imagine if /. paid a nickle for every 503 error.
  • ...but doesn't this sound a bit desperate? IF Microsoft did this, people would be singing from the halls that Microsoft has given in, or getting desperate. (And alot of people would be rich).

    All credit to the Mozilla Foundation if they can keep their image with this kind of approch to secuirty.

    Now, who's going to be the first to earn their $500?

    NeoThermic
    • by ajrs ( 186276 )
      I'll chop it off for you. You might want to check out this link about TeX [cbbrowne.com], which has had a bounty for decades.


      I think you might have confued bragging with desperation.

      • by mytec ( 686565 ) on Monday August 02, 2004 @11:37AM (#9863316) Journal

        My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

        If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?

        • If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?
          I switched for the features. I stayed for the security.

          (Oh, and switching to Linux had something to do with it, too, in my case.)

        • My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

          Alternativily could it be a bit of PR to deflect from the controvesy surrounding the two recently publicised bugs which had been sat on by the Mozilla team for several years before they got around to being fixed?

          • Alternativily could it be a bit of PR to deflect from the controvesy surrounding the two recently publicised bugs which had been sat on by the Mozilla team for several years before they got around to being fixed?

            Naa, its purely a small amount of money to focus a lot of eyes on the problem. If it was pure PR they'd probably offer a much large some of money for catching virus writters or something?!
      • TeX's bounty is for all bugs, not just security holes.

        mozilla.org's bounty is more similar to djb's bounties for security holes in his server software, djbdns [cr.yp.to] and qmail [cr.yp.to]. The major differences between mozilla.org's bounty and djb's are that mozilla.org produces client software rather than server software, and we expect our bounty to be won (multiple times).
    • "IF Microsoft did this, people would be singing from the halls that Microsoft has given in, or getting desperate."

      So? It's their own fault that they've gotten a reputation that's so bad that people treat them differently.
    • Microsoft already does it. Only, being Microsoft, they do it backwards and pay for catching bad guys who exploit the bugs in their software, instead of paying for fixing them damn bugs.
  • by Locky ( 608008 ) on Monday August 02, 2004 @11:20AM (#9863199) Homepage
    Instead they have a $10 million dollar pool of rewards for the capture of people who exploit the bugs for malicious purposes.

    I think the saying 'an ounce of prevention is worth a pound of cure' is applicable here.
    • The security hole is already there. How do you prevent it by paying people for finding it? Microsoft paid money to catch the virus author because he was doing massive damage. Why? Not because the security hole wasn't found (it was), but because people don't patch their systems.

      I'm not usually one to stand up for Microsoft, but come on! What is it with you people who compare Microsoft's reward for catching virus authors and Mozilla's security bounty?

      Security holes are found in IE all the time. So what's

  • by Exmet Paff Daxx ( 535601 ) on Monday August 02, 2004 @11:23AM (#9863221) Homepage Journal
    Micro$oft gives out millions of dollars to catch people who exploit bugs in their browser! Now Linux gives out cash directly to people who find the bugs, rewarding engineers instead of snitches. I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

    Everyone failed my last Gmail invite challenge, and I'm up to three invites, so here's a new one: there are sixteen factual errors in this article [nytimes.com]. I'll give you one for free: Bush is not a downhiller! Spot them all for a Gmail invite.

    -Exmet
    • Now Linux gives out cash...

      Be a little careful how you word things. This is specific to the Mozilla Foundation. It doesn't have anything to do with Linux. But it does look great from a leadership role.
    • Hm, your sig indicates that you might be the first to collect the bounty, or does it mean something entirely different?
    • 1.) Using a dollar sign in the word Microsoft doesn't make you clever.
      2.) Your sig has been proven false. Already, we've seen two critical security holes in the past month, one of which was known for five years but covered up and marked as "confidential."
    • I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

      There's a huge difference in paradigm, but if the media does anything about it, it will be to bury it.

      With the possible exception of some stuff by Knuth, everything has bugs, where possible inputs produce undesirable outputs.

      Given that there are bugs, what's the better way to stumble into them?
      Something nasty and hidden?
      Something spectacular and harmless?

      No, the media will be worse than useless. Since
  • by Anonymous Coward on Monday August 02, 2004 @11:31AM (#9863280)
    If you've ever won any money at a charity fund-raiser, you know the deal:

    1) go up and accept your check
    2) nod and smile alot
    3) donate your check back to the charity

    Is there a prayer people motivated by this bounty have the same modicum of class?
    • The Mozilla Foundation isn't a charity -- they got a donation, and are going to use it. All the people that want to donate time and are already finding security bugs can already do so.

      Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

      Oh, and I'm hoping that the MF won't run into problems with people trying to scam the system by introducing security problems and then "discovering" them.
      • Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

        Imagine the outsourcing possibilities...

      • The Mozilla Foundation isn't a charity -- they got a donation, and are going to use it.
        That's what a charity does -- people give them money, and they spend it in ways that are consistent with their charter.

        Let me guess -- you associate the word "charity" with well-meaning handouts that mainly benefit people who have lots of lame excuses for not working. There are charities like that, but that's not what the word means.

  • This seems like it could become rather popular, after all people like money. Will the developers at mozilla all of a sudden find themselves with bugs that aren't?

    Don't get me wrong I think this is a great idea, and as others have said it should really spur on the tightening of security for the browser.
  • by Anonymous Coward on Monday August 02, 2004 @11:35AM (#9863304)
    Until fairly recently, Netscape used to have a similar bug bounty program but they offered $1000. So it's really just a continuation of the legacy.
  • by Anonymous Coward on Monday August 02, 2004 @11:37AM (#9863317)
    1. Submit buggy software to Mozilla project.

    2. "Find" said bug.

    3. Profit!
  • Why? (Score:2, Interesting)

    by slavemowgli ( 585321 )
    Maybe it's just me, but I really am wondering why they're doing this. Mozilla is *full* of bugs already, many of them significant [mozilla.org] (albeit not security-related), that aren't fixed; and users that encounter security issues are likely to report them anyway, I think, no matter whether they get paid for it or not.
    • Re:Why? (Score:2, Insightful)

      by interJ ( 653180 )
      1. Users don't accidentally run into buffer overflows (or many other security bug types). It's something you have to actively search for. The money is supposed to motivate more people to do this.

      2. You may think that MNG support is more important than sites that can take over your computer or steal your credit card number. However, most people (including Mozilla developers) would disagree.
  • why did I submit those bugs in the past :(((
  • Quick $500 (Score:5, Funny)

    by Bill, Shooter of Bul ( 629286 ) on Monday August 02, 2004 @11:47AM (#9863363) Journal
    I've found a serious flaw in Mozilla. It allows itself to run on Windows, an inherintly insecure platform.
  • by Maestro4k ( 707634 ) on Monday August 02, 2004 @11:47AM (#9863365) Journal
    IIRC, Netscape had a bug bounty of sorts and it was pretty much ignored. There was a lot of annoyance from people reporting bugs to see them either never fixed or fixed and no one given credit for the bounty. (This was all pre-AOL buying Netscape.) I know the Mozilla foundation's different, but there's a lot of people with long memories and they'll need to be prepared to show they're different in this aspect too.
  • quote: "Alright! I'm coding me a mini-van!"
  • Comment removed (Score:3, Interesting)

    by account_deleted ( 4530225 ) on Monday August 02, 2004 @11:53AM (#9863399)
    Comment removed based on user account deletion
    • It prevents bugzilla from becoming a handbook for script kiddies.
    • If the public doesn't know about them, they won't be able to take advantage of them. If it is a tough problem to solve, like the browser spoofing with xul, they can make the bug confidential until the public finds out about it or they solve it.
    • You are correct.

      Whats up with that mozilla?

      It is a good idea. Mozilla is a very large codebase with a reletively small number of developers. Therefore they don't have the fast turn around time for fixing critcal bugs that other projects do. They are already fixing bugs as fast as they can get around to it. If you wan't this process to go faster join the development team.

      Security through obscurity is not completely worthless - it does one thing and that is to buy you more time, and that is all this is
    • Some security through obscurity is a reasonable precaution here IMHO, as part of a wider security policy. Principally, it may protect people using the browser from the scriptkiddies which full disclosure might bring (as others have noted).

      One of the main arguments for full disclosure is that, if a vendor isn't fixing a bug (in a reasonable period after you have notified them of it), you can force the issue by making it public.

      If security by obscurity was the core of the security policy then I wouldn't b

    • So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?

      Quoting from the Mozilla Security Bug Bounty FAQ [mozilla.org],

      If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

      No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published

    • Mozilla lives and breathes because Microsoft does exactly the same. People don't feel safe running Microsoft software, because they aren't told of security vulnerabilities. So why should we be using Mozilla software?

      Recently, I have decided to boycott all Mozilla software. Instead of using Galeon, I'm now using Konqueror (but it doesn't seem to have nearly as good a UI). I'm currently using Evolution, but the distance between Moz Mail/Thunderbird and the UI of it's nearest competitor is a lot bigger than t
  • by Anonymous Coward
    ...and get $500 for your effort, you may want to keep it (as opposed to donating it to charity or giving it back to the foundation, as others have suggested here) because you're going to need it when you get sued for your service to the community.

    Thank you, DMCA and anything that protects big businesses which had their servers infect their customers' computers, but nobody got to know which businesses because they might lose money if their IT carelessness was made public.
  • by xxxJonBoyxxx ( 565205 ) on Monday August 02, 2004 @12:22PM (#9863590)
    The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.

    Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.

    On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.
  • "Significant" (Score:2, Insightful)

    by Neutronix ( 248177 )
    Perhaps I've been living too long on a cynic world...

    But defining what is "Significant bug" will be extremely important, since this is not an unbiased concept, who will decide what is significant or not? Certainly it will not be who reports the bug, but it shouldn't be the one that pays the bill either.
    • From the faq [mozilla.org]:

      What types of security bugs do you consider to be "critical"?

      In general we consider critical security bugs to be those that allow execution of arbitrary code on users' systems or that otherwise allow access to users' confidential information. In the latter case we consider bugs to be critical only if they potentially expose high-value personal information (e.g., passwords, credit card numbers, and the like); in the context of the bug bounty program we do not consider bugs to be critical if t

  • Many eyes? (Score:3, Interesting)

    by Yankovic ( 97540 ) on Monday August 02, 2004 @01:11PM (#9863810)
    What happened to the open source axiom "with many eyes, all bugs are shallow"? Shouldn't it render a program like this unnecessary?
    • Re:Many eyes? (Score:3, Insightful)

      by tiger99 ( 725715 )
      Yes and no, yes because with sufficient eyes, all bugs are indeed shallow, and no because probably not so many eyes bother to look at the Mozilla source, as the Linux kernel, for example. This encourages more eyes to look.
    • The truth is that the "many eyes" idea doesn't actually work. It's not like coders sit there all night poring through the code line by line. People miss things in the code just like a company's developers miss things in their code. The Linux kernel has had plenty of system-killing bugs in its time, and Mozilla has already had several major critical flaws. What's particularly disturbing is that the XUL flaw was known since 1999 but marked "confidential."

      What we're witnessing is an OSS project struggling
    • No.

      It just makes sure the eyes stay opened and focused longer.
  • Under the new program, users reporting critical security bugs - as judged by the Mozilla Foundation staff - will collect a $500 cash prize.

    Unless applications are evaluated by some pro-consumer third party (something like Consumer's Union), it's not much of an offer. The proposed "bounty" gives the staff too much wiggle room.

    • Re:Lousy deal (Score:3, Informative)

      by jesser ( 77961 )
      I don't like the wording in the press release either. The Bug Bounty FAQ [mozilla.org] makes it more clear, but still leaves a lot of information out.

      Bugs that will get the bounty:

      * Arbitrary code execution without user interaction.
      * Reading files with known names from the user's hard drive without user interaction.
      * Reading cookies or stored passwords for other sites without user interaction.

      For bugs that require some user interaction to exploit, human judgement is required, hence contest judges.

      Bugs that will not
  • Mark Shuttleworth (Score:3, Informative)

    by FleaPlus ( 6935 ) on Monday August 02, 2004 @02:21PM (#9864173) Journal
    As a reminder, Mark Shuttleworth [wikipedia.org] is the Internet entrepreneur who was the second space tourist. It's really quite cool to see him taking an interest in helping Mozilla.
  • I'm going to write me a new minivan this afternoon!
  • It's only a matter of time before someone steals their confidential list of security bugs and cashes in big time.

6.023 x 10 to the 23rd power alligator pears = Avocado's number

Working...