System News
Cash Rewards Offered to Security Bug Bounty Hunters
Mozilla Foundation Pays Users Reporting Security Risks
September 9, 2004,
Volume 79, Issue 2

The Security Bug Bounty Program will help us unearth security issues earlier...

-- Mitchell Baker

A $500 cash prize will be awarded to users who identify and report security vulnerabilities in MozillaTM software. This initiative called the Mozilla Security Bug Bounty Program was launched last month by the Mozilla Foundation and is being funded by Linux software developer Linspire, Inc., and Internet entrepreneur Mark Shuttleworth.

"As Mozilla software builds momentum in the marketplace, I'm inspired by the Mozilla Foundation's enduring commitment to transparency and responsiveness on security issues," Shuttleworth said. "And, I am happy to support this program."

Seeking to encourage the open source community's focus on security consciousness and responsiveness, the Mozilla Security Bug Bounty Program will add an additional layer of security to this relatively secure open source software program.

"While no software is immune from security vulnerabilities, bugs in open source projects are often identified and fixed more quickly," said Mitchell Baker, president of the Mozilla Foundation. "The Security Bug Bounty Program will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers."

Shuttleworth and Linspire, Inc. have provided initial funding to support this initiative. However, the Mozilla Foundation is inviting its users and supporters to contribute to this program by making tax-deductible donations to the bounty's fund. The first $5,000 in community contributions will be matched dollar for dollar by Shuttleworth.

"Worry-free security on the Internet is long overdue and we're committed to supporting the Mozilla Foundation's efforts to give users peace of mind," said Michael Robertson, CEO of Linspire, Inc. "We strongly urge the open source community to take advantage of this initiative to help identify and report any security problems for correction."

General policies adhered to by the Mozilla Foundation for handling bug reports related to security vulnerabilities are as follows:

- Security bug reports are marked as "Security-Sensitive," and will have special access control features specifically for use with such bug reports. However, a security bug can revert back to being a normal bug by having the "Security-Sensitive" flag removed, in which case the access control restrictions will no longer be in effect.

  • Full information about security bugs will be restricted to a known group of people, using the Bugzilla access control restrictions described above.

  • Information about security bugs can be held confidential for some period of time; there is no predetermined limit on how long that time period might be. However, the person reporting a bug has visibility into the activities being taken to address the bug, and has the power to open the bug report for public scrutiny.

For more information about reporting security bugs, go to:

Contribution information can be found at:

Read More ... [ more...]



Other articles in the Free and Open Source S/W section of Volume 79, Issue 2:

See all archived articles in the Free and Open Source S/W section.

Trending in
Vol 235, Issue 2
Trending IT Articles