RealTime IT News

Mozilla: Dollars for Security Bugs

With the threat of malicious intrusion escalating, the open source Mozilla Foundation is putting a price tag on the discovery of critical security flaws in its browser projects.

With financial backing from Linux vendor Linspire (formerly Lindows and South African venture capitalist Mark Shuttleworth, Mozilla has launched the "Mozilla Security Bug Bounty Program" to dole out a $500 cash prize to users reporting critical security bugs.

Information about which bugs are eligible and how to claim the bounty has been posted to the security section of Mozilla's Web site.

The Mozilla Foundation, launched by Netscape in 1998 as a distributor of open source software, is responsible for the creation of the Mozilla Web and e-mail applications suite that includes the flagship Firefox browser.

"Identifying software security vulnerabilities requires constant vigilance, and preventing those issues from becoming problems necessitates a dedicated effort to provide quick and effective responses," Mozilla said.

"Recent events illustrate the need for this type of commitment. While no software is immune from security vulnerabilities, bugs in open source projects are often identified and fixed more quickly," said Mozilla president Mitchell Baker.

Baker was referring to the spate of malicious hacker exploits targeting Web browsers like Microsoft's Internet Explorer (IE) and Firefox.

"The [bounty program] will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers."

He described the bounty program as an "additional mechanism" for identifying potential vulnerabilities in Mozilla's products.

The launch of the bounty program comes on the heels of a public warning that a "highly critical" security hole in the Netscape and Mozilla browsers could put users at risk of computer takeover.

Security research firm Secunia has also issued an advisory for a separate flaw with a "moderately critical" rating that could lead to URL spoofing, exposure of sensitive information, denial-of-service and system access via the Mozilla, Firefox and Thunderbird products.

The latest batch of flaws could open the door for malicious POP3 mail servers to cause heap overflows in Mozilla to obtain system access. Attackers can also manipulate Web pages to appear to be encrypted and present the certificate of another site.

"Mozilla doesn't verify if stored credentials should be used for an HTTPS or HTTP connection. This can potentially lead to the password being sent over an unencrypted HTTP connection," Secunia said in its alert.

The Mozilla Foundation has fixed all the vulnerabilities in Mozilla 1.7 and higher, Firefox 0.9 and higher and Thunderbird 0.7 and higher.