Mozilla Bumps Security Bug Bounty To $3,000

Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."

Insulting?

[CannonballHead]

Why is it insulting? Maybe it's "too little" but getting money for what most companies don't pay for is insulting?

Are people really that stuck up? hehe.

Re:

[sakdoctor]

I take all pricing set above or below the true market value to be a PERSONAL insult!
You insensitive clod.

Re:

[CannonballHead]

Pricing ABOVE true market value is a personal insult, too? Yikes. ;)

Re:

[robmv]

maybe that means... "I have a lot of money to waste and you not" jaja

Re:

[ArsonSmith]

But $500 was the market value. That was the most that the Moz foundation was willing to pay for sec bugs.

They got a bunch of the low hanging fruit with that.

Now at $3k they'll get the next harder sec bugs reported and fixed, as well as paying out some more money for fewer bugs.

At some point I bet they'll raise it again to maybe $10k, $20k, $100k as they find and nail down all security problems. Wasn't Tex or LaTex or something done in a similar way as well?

Re:

[Tubal-Cain]

I admit I don't know much about it, but I don't get the impression that TeX support as much of a moving target as Web browser security/UI/standards/etc. What massive changes has LaTeX needed to undergo these last few years in order to stay relevant? Mozilla has improved their Acid3 support, deal with security vulnerabilities that will never apply to LaTeX, added Theora support for the <video> tag, they're probably working on the rest of HTML5, they're changing to a Chrome-like UI, they're overhauling

Re:

[darthflo]

You're probably thinking of these [wikipedia.org]. Not quite $3000, but 0x$1 is a start.

Re:Insulting?

[AHuxley]

Yes for what most post to blogs, forums, mailing lists ect for free its a fair amount esp for any student.

Re:

[CannonballHead]

Precisely. $3000 is of course more than $500, and Google certainly could afford more ... although, on the other hand, Google has way more products to find bugs in, etc. Anyways, the whiff of "entitlement" in that statement seems strong to me.

Re:Insulting?

[Lunix Nutcase]

What entitlement? Finding these major exploits are not easy and can easily take weeks or months or work to uncover. To think that $500 is a sufficient payment to recompense them for their work is a joke. Especially when they can get anywhere from 10 to 100 times that by selling these exploits to the black market.

Re:

[CannonballHead]

Maybe they aren't catering to those types of people?

Re:

[Lunix Nutcase]

They aren't catering to security researchers? Who else are they supposed to be catering to?

Re:

[CannonballHead]

Already-known professional security researchers are the only ones that can provide these? Maybe they are trying to get young whipper-snappers.

Re:

[xouumalperxe]

Would those younger whipper-snappers not be able to get more than 500$ on the black market, then?

Re:

[CannonballHead]

That is another argument... but in that case, Google is stupid, not insulting. If you want to argue that route, I may agree with you.

Re:

[ewanm89]

Google bounty only applies to chromium, Mozilla bounty applies to all beta, rc and stable releases of all products and services.

Re:Insulting?

[Lunix Nutcase]

Except that the people who will mostly be discovering these bugs and exploits are not students. They are going to be professionals that can get upwards of $10,000+ depending on the severity of the exploit they find.

Re:

[HungryHobo]

meh, I'm student and a comp sci grad and I almost certainly won't find anything but that figures enough that I'll be spending a few evenings this week examining the firefox source code.

Re:Insulting?

[Lunix Nutcase]

These researchers don't find the exploits and bugs by reading the source code. They do it by fudging around with the binary while the program is running.

Re:

[gumbi west]

Do you mean besides Charlie Miller frequent pwn2own winner? [tomshardware.com] He uses fuzzers and source code, and even reverse engineers binaries.

Re:

[Lunix Nutcase]

He may use source code if it's available, which it isn't for IE which has has found exploits in, once he's found something by after doing the fuzzing but I can assure you he doesn't just stare at the source code and go "AHA! A BUFFER OVERFLOW!!".

Re:

[ewanm89]

If the source is available, they'll also read through it. It's quite possible that they'll notice something someone else didn't especially if 1) they didn't write the code and 2) they know the kinds of things they are looking for. When code is not available a common step is to disassemble the code and to start to reverse engineer it.

Automatic fuzzers and exploit testers seldom provide results as 1) vendors can and generally do run such tests themselves and 2) they only test for the particular cases they are

Re:

[n6mod]

But to make tens of thousands on the black market, you really need a weaponized exploit. Mozilla will be quite happy with a detailed bug report.

Re:

[gumbi west]

No, Charlie Miller talks about much larger payouts from MS. He said, "I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." here [zdnet.com].

Re:

[ewanm89]

No, someone else can weaponise it easily, have you seen the way metasploit works? It takes little common exploit and common payload and sticks them together into one weaponised exploit.

Re:

[b4dc0d3r]

while you can make an argument that you are technically correct, "upwards of $10,000" is pretty misleading, "less than $5000" would be a better figure.

Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that

Re:

[gad_zuki!]

I think "insulting" is code for "the market value of this vulnerability is much higher. I'd rather sell it to buyer other than Mozilla." In other words, most ethics are based in economics. Its easy to do good when there's money involved in doing so.

Re:

[ewanm89]

No, but they are more likely to let mozilla know about the exploit than stick it into the blackmarket, the fact that if they find something that gains access to mozilla's employee database or somesuch they may still screw with it, that's something else entirely.

Re:

[gumbi west]

No, I think the $500 offered by google is insulting because it's like offering some $10 to clean your house when it would cost them more than that to drive there. Interestingly, people don't seem to mind that much when the price is like $1 million, i.e. DARPA has given prizes of this size and the winner has spent six times that (not to mention all the looser) but I think if DARPA didn't want to offer the $1 million, they would be better off offering nothing than, i.e. $50, because the nothing suggests that

Re:

[alexmipego]

If you work on something you usually like to get paid. It's considered insulting to pay just 500$ for a bug simply because you can get a much higher paycheck if you sell it on the black market. So, if you're into security research to make money, 500$ is an insult to people's time.

Re:

[Dare nMc]

It's considered insulting to pay just 500$ for a bug

Donald Knuth used to pay $2.56 per bug found in his programming books, the recognition was more valuable than the amount and most people would frame the checks and never cash, as a matter of pride "I was recognized."
So getting a acknowledgment of finding a bug +value, getting significant money as well ++ value. Not worrying about selling your bug to people who might kill you if they think you screwed them or turned them in, and not worrying if the FBI, etc will throw you in jail for breaking laws... pric

Re:

[alexmipego]

Finding a bug in a book is a matter of reading, proof reading and testing every example on the book to see if it works well. You could say it's an exact science because you can simply define a couple rules and follow them until you find a small mistake.

Finding a bug on a software isn't that simple. For starters there are millions of lines of code and unlike books a single line can affect millions of other line's logic paths/assumptions/etc. There is no single method you can apply to find a bug and that's wh

Re:

[Dare nMc]

Finding a bug on a software isn't that simple. For starters there are millions of lines of code

That is likely true for fixing a bug. No where did it say you had to find the line of code, that causes the issue. But finding a bug in software, when you have the software, and say it was free software so anyone could use it... Then the difficulty in finding a bug could be as simple as downloading a copy of Mozilla and using it.
Similar to this security issue bounty, his bounty wasn't for grammer, it was for finding a significant issue. Most likely this $500 gives enough incentive to pay for the time sp

Re:

[alexmipego]

That's true if you're the casual finder, but not if you live of security research.

I do know it isn't as simple as looking at the code and sometimes you don't even do that, the point was that finding a bug on something as widely tested and used and a browser isn't as simple as proof-reading a book.

Re:

[ArsonSmith]

So the solution is to write a book about Firefox?

Re:

[quickOnTheUptake]

There is a big difference between a personal check from a legend and a check from a foundation or company. I would frame a check from Knuth; I would cash a check from Mozilla.

Re:

[mots]

Similarly, google pays $1337 for particularly severe or particularly clever bugs.

Re:

[ewanm89]

He still does, (figuratively, anyway, it's now a hall of fame on his website). He did it for TeX too, the key is his pricing scheme with TeX was such that the next bug would be exponentially more expensive, as that way as there were less bugs left to find so he payed more for finding them. However as TeX is now in several different implementations that aren't maintained by Knuth, he nolonger needs to worry about the TeX ones.

Re:

[Goaway]

The companies may not pay for it, but that does not mean there are not others who will pay.

Re:

[General Wesc]

The Cost of Social Norms [danariely.com].

The actual criteria

[Anonymous Coward]

Mozilla also announced that the criteria for 'security bugs' require an attack vector that completely compromises the system from a remote location without internet connection. All other bugs are not treated as 'security' bugs, but rather: 'unwanted features', the bounty for this is of course limited to a 'quit complaining, you got it for free' letter.

OK, here are the actual criteria, fresh from TFA:

• Security bug must be original and previously unreported.
• Security bug must be a remote exploit.
• Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging./li>
• Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.

Re:

[Chapter80]

4 Insightful?

Did you mods even read this? Completely compromises the system from a remote location without internet connection?

Cmon!

Re:

[gumbi west]

The /. editors have infinite mod points and can add more than 1 to a comment. Usually when I see a way out of bounds mod like this that then gets corrected back to reality I wonder if the editor was just being a tool. But since we can't see editor mods separately so you never do know, maybe early birds are just different moderators than late comers.

Re:

[PseudonymousBraveguy]

Mozilla has a history of paying those bounties, why should that change? Have I missed that they are somehow evil now?

Many eyes make all bugs shallow...not

[Anonymous Coward]

<nt>

Knuth

[mandelbr0t]

It worked for him; the cheque from him was worth far more than the value printed on it. I think that offering rewards for disclosure can only lead to better code. Microsoft hasn't yet implemented this method as they would rapidly go broke.

Find and recreate can take time

[bzipitidoo]

As an example, text box input of Firefox used to have some bad bugs I never did track down, though I tried. After much editing and jumping about in the text box, sometimes using backspace would erase the wrong character. Would remove a character at the end of a line several lines above the cursor. Tried to recreate the bug with sequences of keystrokes I guessed might cause it, but no luck. I thought of buying a keylogger so I could capture the keystrokes the next time it happened. But that was getting t

Que the...

[NetNed]

"It's not a bug, it's a feature!"

Bad Idea

[slasho81]

Giving money for finding bugs is counterproductive. Here's why: http://www.youtube.com/watch?v=AIqtbPKjf6Q [youtube.com]

Re:

[bunratty]

That video explains why giving a low amount such as $500 is counterproductive. Paying a fair amount of money for security research is compensating people for the time and effort for finding and reporting the bug. As an example from the video, it's like giving someone $50, a fair amount, to change your tire instead of $1, which is an insulting amount.

Re:

[slasho81]

You completely missed the point. It's about the social contract.

Re:

[bunratty]

We don't have a social contract with Mozilla. It's a corporation. Do you build a social relationship with Mozilla so it can help you in times of distress? It sounds like you missed the point.

Re:

[dveditz]

A public benefit corporation wholly owned by a non-profit foundation. If you don't think this approach furthers the mission please let us know.

Re:

[bunratty]

I think it does further the mission. Giving $3000 per security bug is not counterproductive because security researchers do not have a social contract with Mozilla. Mozilla will not give us a ride to work if our car breaks down. Mozilla giving $3000 for a security bug is not like giving your mother-in-law money for Thanksgiving dinner for this reason.

Re:

[TravisO]

Dan is talking about paying money as a routine, like a salary. The security exploit pay is like a reward, you don't get paid for the effort, anybody can make the effort but only 1% of the people who would try are capable of finding a real security hole. The effect doesn't apply.

Re:

[sunwolf]

....aaaaand more: http://www.youtube.com/watch?v=u6XAPnuFjJc [youtube.com]

Re:

[bunratty]

I don't see how that applies in this situation, either. Mozilla is not paying people to specifically look for security problems in Firefox. The security researchers do whatever they want -- they're autonomous, doing the research they want to do for their own motivation. If during their work they happen to find a bug in Mozilla, this makes it easy for them to do the right thing and report the problem to Mozilla first, before someone else finds the problem.

According to the video, if they employed security res

Re:

[BZ]

This isn't money for finding bugs. This is money for, once you have found a bug, reporting it to Mozilla as opposed to selling it on the black market or just posting it on your blog so as to 0-day users.

That is, the assumption is that people are looking for bugs and are perhaps finding them. The bounty is to convince them to do things _after_ that in a way that does minimal harm to Mozilla's user.

Re:

[account_deleted]

Comment removed based on user account deletion

Oblig Dilbert Quote

[Spikeorama]

I need to sign up to work on Mozilla products! Boss: "Our goal is to write bug free software. I'll pay a ten-dollar bonus for every bug you find and fix. I hope this drives the right behavior." Wally: "I'm gonna write me a new minivan this afternoon!"

Re:

[bunratty]

This is the exact reason for the disqualification criterion for the bug bounty [mozilla.com]

In concert with those changes, we are also updating the eligibility language to make it clear that Mozilla reserves the right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users.

$10,000 per flaw

[AthleteMusicianNerd]

Is what it would take to get me to look at it.

microsoft bug fix

[helix2301]

Microsoft would never do this they would get hackered apart worse then they do now with virus and spyware problems. There PR department would be out of control busy. Plus Microsoft patch team would have to be doubled in staff. Patch Tuesday would be every Tuesday.

Where are they getting the money?

[tjstork]

Just curious, but who is donating bucks to Mozilla?