Mozilla Bumps Security Bug Bounty To $3,000 73
Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."
Insulting? (Score:4, Insightful)
Why is it insulting? Maybe it's "too little" but getting money for what most companies don't pay for is insulting?
Are people really that stuck up? hehe.
Re:Insulting? (Score:4, Insightful)
Re:Insulting? (Score:2, Insightful)
If you work on something you usually like to get paid. It's considered insulting to pay just 500$ for a bug simply because you can get a much higher paycheck if you sell it on the black market. So, if you're into security research to make money, 500$ is an insult to people's time.
Re:Insulting? (Score:4, Insightful)
Except that the people who will mostly be discovering these bugs and exploits are not students. They are going to be professionals that can get upwards of $10,000+ depending on the severity of the exploit they find.
Re:Insulting? (Score:4, Insightful)
These researchers don't find the exploits and bugs by reading the source code. They do it by fudging around with the binary while the program is running.