Mozilla puts bounty on bugs
Summary
Topics
The announcement comes a week after the Mozilla Foundation, which directs development of the Mozilla and Firefox browsers and the Thunderbird e-mail client, confirmed that the group's browsers hadtwo serious issues in dealing with digital certificates, the identity cards of the Internet. Last Friday, Microsoft fixed serious vulnerabilities in its Internet Explorer browser, some of which have been widely known since June.
"Recent events illustrate the need for this type of commitment,"Mitchell Baker, president of the Mozilla Foundation, said in a statement. "The (program) will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers."
Linux software maker Linspire and Internet entrepreneur Mark Shuttleworth funded the new initiative, dubbed the Mozilla Security Bug Bounty Program. Linspire seeded the program with $5,000, and Shuttleworthpromised to match the first $5,000 in public contributions to theprogram, the foundation stated.
"We (the Mozilla Foundation) are moving into our second year, and we aregoing back and reviewing all the programs in place that we had in thepast and setting priorities for the next year," said Chris Hofmann,director of engineering for the foundation. "Security is an area that weare serious about, and we wanted to get the ball rolling." He added that the foundation will continue to look for more contributors to the program.
Hofmann said that despite the bugs, Mozilla's security is good. Somecritics have maintained that Mozilla's software has at least as many vulnerabilitiesas Microsoft's and that the only difference between the two applications is thatMicrosoft is more popular, so more security researchers are trying to break it.
"The conventional wisdom is that if Mozilla had the same market share asMicrosoft, we would have as many flaws found--we don't see that as the case," Hofmann said.
A representative of Microsoft could not immediately be reached forcomment.
Few companies have offered rewards for pinpointing software vulnerabilities, andthe rewards have almost always been paid by security companies for flawsin other companies' software products. The rewards are generally used bysecurity companies to gain a competitive edge over rivals by havingtheir products recognize more vulnerabilities. The rewards also convincesome would-be intruders to give up some of the tricks in their tool kit for quick cash.
However, a $500 reward might not be very enticing--a point Hofmann acknowledges. "We don't have any intentions of increasing that amount," he said. "It is mostly a way to thank people who help us further the security of the product."
Microsoft does not give bounties to bug finders but did start a program that hasposted three $250,000 rewards for leads on virus writers.
Currently, the Mozilla Web application--which includes a browser,e-mail, chat program, and Web page editing program--has reached version1.7. The Mozilla Foundation's Firefox stand-alone browser and Thunderbirde-mail client are close to being complete and are already widely used.
More information on the reward program can be found at The Mozilla Organization's Security Center.
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
