[ISN] Mozilla puts bounty on bugs

InfoSec News isn at c4i.org
Wed Aug 4 13:47:40 EDT 2004


By Robert Lemos 
Staff Writer, CNET News.com
August 2, 2004

The announcement comes a week after the Mozilla Foundation, which
directs development of the Mozilla and Firefox browsers and the
Thunderbird e-mail client, confirmed that the group's browsers had two
serious issues in dealing with digital certificates, the identity
cards of the Internet. Last Friday, Microsoft fixed serious
vulnerabilities in its Internet Explorer browser, some of which have
been widely known since June.

"Recent events illustrate the need for this type of commitment,"  
Mitchell Baker, president of the Mozilla Foundation, said in a
statement. "The (program) will help us unearth security issues
earlier, allowing our supporters to provide us with a head start on
correcting vulnerabilities before they are exploited by malicious

Linux software maker Linspire and Internet entrepreneur Mark
Shuttleworth funded the new initiative, dubbed the Mozilla Security
Bug Bounty Program. Linspire seeded the program with $5,000, and
Shuttleworth promised to match the first $5,000 in public
contributions to the program, the foundation stated.

"We (the Mozilla Foundation) are moving into our second year, and we
are going back and reviewing all the programs in place that we had in
the past and setting priorities for the next year," said Chris
Hofmann, director of engineering for the foundation. "Security is an
area that we are serious about, and we wanted to get the ball
rolling." He added that the foundation will continue to look for more
contributors to the program.

Hofmann said that despite the bugs, Mozilla's security is good. Some
critics have maintained that Mozilla's software has at least as many
vulnerabilities as Microsoft's and that the only difference between
the two applications is that Microsoft is more popular, so more
security researchers are trying to break it.

"The conventional wisdom is that if Mozilla had the same market share
as Microsoft, we would have as many flaws found--we don't see that as
the case," Hofmann said.

A representative of Microsoft could not immediately be reached for

Few companies have offered rewards for pinpointing software
vulnerabilities, and the rewards have almost always been paid by
security companies for flaws in other companies' software products.  
The rewards are generally used by security companies to gain a
competitive edge over rivals by having their products recognize more
vulnerabilities. The rewards also convince some would-be intruders to
give up some of the tricks in their tool kit for quick cash.

However, a $500 reward might not be very enticing--a point Hofmann
acknowledges. "We don't have any intentions of increasing that
amount," he said. "It is mostly a way to thank people who help us
further the security of the product."

Microsoft does not give bounties to bug finders but did start a
program that has posted three $250,000 rewards for leads on virus

Currently, the Mozilla Web application--which includes a browser,
e-mail, chat program, and Web page editing program--has reached
version 1.7. The Mozilla Foundation's Firefox stand-alone browser and
Thunderbird e-mail client are close to being complete and are already
widely used.

More information on the reward program can be found at The Mozilla
Organization's Security Center.

More information about the ISN mailing list