Tuesday, July 20, 2010

Mozilla Now Offering $3K For Firefox Bugs

The Mozilla Foundation has announced it will now reward users who discover and report critical security vulnerabilities in its software $3,000 for each vulnerability found.

The Mozilla Security Bug Bounty Program originally launched back in 2004. When it was first announced the programs reward for bugs was limited to just $500. Today several other companies, including Google have launched similar programs offering up more and more money for users that can find critical holes in their web browsers.

Eligible security vulnerabilities must be remotely exploitable (over the web or a local network) and not previously have been publicly documented.

Reward Guidelines

The bounty will be awarded for sg:critical and sg:high severity security bugs that meet the following criteria:
  • Security bug must be original and previously unreported.
  • Security bug must be a remote exploit.
  • Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging.
  • Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.
  • Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
  • Employees of the Mozilla Foundation and its subsidiaries are ineligible.
Mozilla also ask that users finding the security bug as part of your job (in other words, while being paid to work on Mozilla code) they then would appreciate your not applying for the bounty. Funds for the project are limited and they would like this program to focus on people who are not otherwise paid to work on the Mozilla project.

Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla's end users. If two or more people report the bug together the $3000 reward will be divided among them.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you