Mozilla expands bug bounty to web apps

Mozilla has plans to expand its popular bug bounty program to web applications, offering to pay cash rewards to hackers who find serious security flaws in some of its high-profile web properties.

The new program will see Mozilla paying between $500 and $3000 for "high severity," "extraordinary" or "critical" vulnerabilities in domains and web applications belonging to the open-source group.

The list of Web sites in play include Mozilla's add-on site, the Bugzilla reporting site and several public-facting marketing sites.

Here's the list of domains under scope for the expansion of the program:

• bugzilla.mozilla.org
• *.services.mozilla.com
• getpersonas.com
• aus*.mozilla.org
• www.mozilla.com/org
• www.firefox.com
• www.getfirefox.com
• addons.mozilla.org
• services.addons.mozilla.org
• versioncheck.addons.mozilla.org
• pfs.mozilla.org
• download.mozilla.org

Mozilla director of infrastructure security Chris Lyon said the new policy will go into effect on December 15, 2010.

"We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research, Lyon said.

Mozilla already pays up to $3,000 for security holes in its flagship Firefox and Thunderbird client programs.

Google and Barracuda Networks are also among the latest wave of software companies offering to pay security researchers for the rights to vulnerability information.

ALSO SEE:

• Mozilla increases flaw bounty to $3K
• 12-year-old finds critical Firefox flaw, earns $3,000 bounty