Mozilla: Dollars for Security Bugs

With the threat of malicious intrusion escalating, the open source
Mozilla Foundation is putting a price tag on the discovery of critical
security flaws in its browser projects.

With financial backing from Linux vendor Linspire (formerly Lindows
and South African venture capitalist Mark Shuttleworth, Mozilla
has launched the “Mozilla Security Bug Bounty Program” to dole out a $500
cash prize to users reporting critical security bugs.

Information about which bugs are eligible and how to claim the bounty has
been posted to the security section
of Mozilla’s Web site.

The Mozilla Foundation, launched by Netscape in 1998 as a distributor of
open source software, is responsible for the creation of the Mozilla Web and
e-mail applications suite that includes the flagship Firefox browser.

“Identifying software security vulnerabilities requires constant
vigilance, and preventing those issues from becoming problems necessitates a
dedicated effort to provide quick and effective responses,” Mozilla
said.

“Recent events illustrate the need for this type of commitment. While no
software is immune from security vulnerabilities, bugs in open source
projects are often identified and fixed more quickly,” said Mozilla
president Mitchell Baker.

Baker was referring to the spate of malicious hacker exploits targeting
Web browsers like Microsoft’s Internet Explorer (IE) and Firefox.

“The [bounty program] will help us unearth security issues earlier, allowing our
supporters to provide us with a head start on correcting vulnerabilities
before they are exploited by malicious hackers.”

He described the bounty program as an “additional mechanism” for
identifying potential vulnerabilities in Mozilla’s products.

The launch of the bounty program comes on the heels of a public warning
that a “highly critical” security hole in the Netscape and
Mozilla browsers could put users at risk of computer takeover.

Security research firm Secunia has also issued an advisory for a separate
flaw with a “moderately critical” rating that could lead to URL spoofing,
exposure of sensitive information, denial-of-service and system
access via the Mozilla, Firefox and Thunderbird products.

The latest batch of flaws could open the door for malicious POP3 mail
servers to cause heap overflows in Mozilla to obtain system access.
Attackers can also manipulate Web pages to appear to be encrypted and
present the certificate of another site.

“Mozilla doesn’t verify if stored credentials should be used for an HTTPS
or HTTP connection. This can potentially lead to the password being sent
over an unencrypted HTTP connection,” Secunia said in its alert.

The Mozilla Foundation has fixed all the vulnerabilities in Mozilla 1.7
and higher, Firefox 0.9 and higher and Thunderbird 0.7 and higher.

News Around the Web