Mozilla has plans to expand its popular bug bounty program to web applications, offering to pay cash rewards to hackers who find serious security flaws in some of its high-profile web properties.
The new program will see Mozilla paying between $500 and $3000 for "high severity," "extraordinary" or "critical" vulnerabilities in domains and web applications belonging to the open-source group.
The list of Web sites in play include Mozilla's add-on site, the Bugzilla reporting site and several public-facting marketing sites.
Here's the list of domains under scope for the
expansion of the program:
bugzilla.mozilla.org *.services.mozilla.com getpersonas.com aus*.mozilla.org www.mozilla.com/org www.firefox.com www.getfirefox.com addons.mozilla.org services.addons.mozilla.org versioncheck.addons.mozilla.org pfs.mozilla.org download.mozilla.org
Mozilla director of infrastructure security Chris Lyon said the
new policy will go into effect on December 15, 2010.
"We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research, Lyon said.
already pays up to $3,000 for security holes in its flagship Firefox and Thunderbird client programs.
Google and Barracuda Networks are also among the latest wave of software companies offering to pay security researchers for the rights to vulnerability information.