RealTime IT News

Mozilla Community Cashing in on Bug Bounties

The Mozilla Foundation's Bug Bounty Program has netted some of its community members $6,000, nearly half of it going to one German developer, officials announced earlier this week.

South African venture capitalist Mark Shuttleworth and Linux vendor Linspire instituted the bug-quashing program in August 2004 to encourage Mozilla software users to report security vulnerabilities in the code.

Since then, five individuals have received $500 bounties on 12 security vulnerabilities, $2,500 of which went to Michael Krax of Germany. While only a number of bug bounties has been handed out, the list of security bug reports from the open source community has been much higher, said Chris Hofmann, Mozilla Foundation director of engineering.

"It's hard to assign a number of reported issues to a week or month," he said. "When research identifies one area of vulnerability, there may be other bugs reported that are variations on that theme. So counting actual bugs reported isn't necessarily accurate."

The Mozilla Foundation has identified and fixed 66 security bugs in the latest versions of its Mozilla Suite, Thunderbird e-mail client and Firefox.

Microsoft's Internet Explorer and related products have also been beset by security vulnerabilities for years, though executives say they are making a renewed commitment to the browser.

What differentiates the Mozilla Foundation from its competition is its willingness to identify and publicize known vulnerabilities and patch those bugs quickly, according to a report issued earlier this month by Brussels-based security consultancy firm ScanIT.

"Security researchers seem to be more inclined to report Firefox vulnerabilities to the Mozilla development team than IE flaws to Microsoft because of a better general attitude towards them," said Alla Bezroutchko, ScanIT senior security engineer, in a statement.

The report shows the Firefox browser was only exposed to a publicly known vulnerability without a patch for 65 days in 2004; IE, on the other hand, was safe for only seven days last year.

"We value the security community highly, and the Bug Bounty program is one of the ways we help encourage participation," Hofmann said. It's this community that helps us identify potential problems before exploits are developed and before consumers can suffer. This is facilitated through our open source development process."