PDA

View Full Version : Mozilla Security Bug Bounty Program



RAV TUX
July 7th, 2007, 09:18 PM
The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. Reporters of valid critical security bugs will receive a $500 (US) cash reward and a Mozilla T-shirt.
Many thanks to Linspire (http://www.linspire.com/) and Mark Shuttleworth (http://www.markshuttleworth.com/) for providing start-up funding for this endeavor. Mark Shuttleworth has issued a challenge grant to support this initiative. Please make a donation today. (http://www.mozilla.org/foundation/donate.html) Your tax-deductible contribution will be matched dollar for dollar, up to $5000, by Mark Shuttleworth.
Reward Guidelines

The bounty will be awarded for critical (http://www.mozilla.org/security/bug-bounty-faq.html#critical-bugs) security bugs that meet the following criteria:
Security bug must be original and previously unreported.
Security bug must be a remote exploit.
Security bug is present in the most recent version of the Mozilla Suite, Firefox, and/or Thunderbird, as released by the Mozilla Foundation.
Security bugs in or caused by additional 3rd-party software (e.g. Java, plugins, extensions) are excluded from the Bug Bounty program.
Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
Mozilla Foundation employees are ineligible.If you found the security bug as part of your job (in other words, while being paid to work on Mozilla) then we would appreciate your not applying for the bounty. Our funds are limited and we would like this program to focus on people who are not otherwise paid to work on the Mozilla project.
If two or more people report the bug together the $500 reward will be divided among them.
Process

Please file a bug (http://bugzilla.mozilla.org/) describing the security bug; be sure to check the box near the bottom of the entry form that marks this bug report as confidential. We encourage you to attach a "proof of concept" testcase or link to the bug report that demonstrates the vulnerability. While not required, such a testcase will help us judge submissions more quickly and accurately.
Notify the Mozilla Security Group by email and include the number of the bug you filed and a brief summary. If you cannot file a bug include the full details in the email and attach any proof of concept testcases or links. Mozilla Foundation staff and the Mozilla Security Group will consider your submission for the Security Bug Bounty and will contact you.
We ask that you be available to provide further information on the bug as needed, and invite you to work together with Mozilla engineers in reproducing, diagnosing, and fixing the bug. As part of this process we will provide you full access to participate in our internal discussions about the bug; for more information read our policy (http://www.mozilla.org/projects/security/security-bugs-policy.html) for handling security bugs.
More information about this program can be found in the Security Bug Bounty (http://www.mozilla.org/security/bug-bounty-faq.html) Program FAQ (http://www.mozilla.org/security/bug-bounty-faq.html)
http://www.mozilla.org/security/bug-bounty.html

euler_fan
July 7th, 2007, 09:47 PM
Of course, I'm no where near being able to go looking for bugs to submit for this, but it does--to me at least--demonstrate how open source software can achieve very high levels of security very simply by simply having everyone looking for problems and--hopefully--fixing them.

Thanks for posting it. I hope someone who reads it finds something they get paid for :)

RAV TUX
July 7th, 2007, 09:50 PM
Of course, I'm no where near being able to go looking for bugs to submit for this, but it does--to me at least--demonstrate how open source software can achieve very high levels of security very simply by simply having everyone looking for problems and--hopefully--fixing them.

Thanks for posting it. I hope someone who reads it finds something they get paid for :)The other challenge is to donate money that Mark will match.;)