Sunday, 26 December 2010

Mozilla Ups Bounty for Security Bugs to $3,000

Since 2004, Mozilla has been offering a bounty of $500 for any security bug information, and now it upped the amount of the bounty to $3,000, undoubtedly attractive for bug finders.

As Lucas Adamski, Director of Security Engineering said in his blog, "While the original mission of protecting users by supporting security research has not changed, the security environment has changed tremendously. In recognition of these changes we are updating our security bounty program to better support constructive security research."

Increase of the bounty payment is not the only thing refreshed in the security bug bounty program, the scope covered by the program has also been expanded. Besides Firefox and Thunderbird, which are already included in the program, Firefox Mobile and any Mozilla services the products rely upon are added into it.

It is also noted in the official reward guidelines that only those significant critical and significant high severity security bugs that meet the following criteria can be awarded.

Security bug must be original and previously unreported.
Security bug must be a remote exploit.
Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging.
Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.
Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
Employees of the Mozilla Foundation and its subsidiaries are ineligible.


No comments:

Post a Comment