Mozilla gives bug hunter $2,500

A Firefox guru received $2,500 for finding flaws in Mozilla's program. But should other firms also reward researchers?
Written by Dan Ilett, Contributor on

The Mozilla Foundation has given $2,500 (£1,328) to a security researcher for discovering vulnerabilities in its free Web browser.

The company paid $500 to German researcher Michael Krax for each of the five bugs he found in Firefox.

"We developed the bug bounty programme to encourage and award community members who identify unknown bugs in the software," said Chris Hofmann, director of engineering for the Mozilla Foundation. "This programme is one of the many ways the Mozilla Foundation produces safe and secure software for its users."

The National Infrastructure Coordination Centre earlier this month posted alerts about the bugs, which relate to chrome privileges — a mechanism that allows applications to change user interface details of the browser itself. If abused, this function could alter the 'Home' button, for example, to make it download malicious programs.

Mozilla is one of the few organisations to offer financial incentives to people who find vulnerabilities. Microsoft, which charges for its products and regularly asks the user community to test beta versions of its software, has no such scheme.

A spokesperson for Microsoft said: "We don't pay people to find bugs, but there are other ways we try to fix security as much as possible. But we can't comment on what Mozilla does."

Microsoft also highlighted its cash-reward scheme for informants who help law enforcement agencies to convict virus writers.

Editorial standards