Mozilla Community Cashing in on Bug Bounties

The Mozilla Foundation’s Bug Bounty Program has netted some of its community
members $6,000, nearly half of it going to one German developer, officials
announced earlier this week.

South African venture capitalist Mark Shuttleworth and Linux vendor Linspire instituted the bug-quashing program in August 2004 to encourage Mozilla software users to report security vulnerabilities in the code.

Since then, five individuals have received $500 bounties on 12 security
vulnerabilities, $2,500 of which went to Michael Krax of Germany. While only
a number of bug bounties has been handed out, the list of security bug
reports from the open source community has been much higher, said Chris
Hofmann, Mozilla Foundation director of engineering.

“It’s hard to assign a number of reported issues to a week or month,” he
said. “When research identifies one area of vulnerability, there may be
other bugs reported that are variations on that theme. So counting actual
bugs reported isn’t necessarily accurate.”

The Mozilla Foundation has identified and fixed 66 security bugs in the
latest versions of its Mozilla Suite, Thunderbird e-mail client and Firefox.

Microsoft’s Internet Explorer and related products have also been beset by security vulnerabilities for years, though executives say
they are making a renewed commitment to the browser.

What differentiates the Mozilla Foundation from its competition is its
willingness to identify and publicize known vulnerabilities and patch those
bugs quickly, according to a report issued earlier this month by Brussels-based security consultancy firm ScanIT.

“Security researchers seem to be more inclined to report Firefox
vulnerabilities to the Mozilla development team than IE flaws to Microsoft
because of a better general attitude towards them,” said Alla Bezroutchko,
ScanIT senior security engineer, in a statement.

The report shows the Firefox browser was only exposed to a publicly known
vulnerability without a patch for 65 days in 2004; IE, on the other hand,
was safe for only seven days last year.

“We value the security community highly, and the Bug Bounty program is one
of the ways we help encourage participation,” Hofmann said. It’s this
community that helps us identify potential problems before exploits are
developed and before consumers can suffer. This is facilitated through
our open source development process.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web