August 03, 2004

Mozilla: Find a security bug, get $500

The Mozilla organization announced it will pay out at least $10,000, for the identification of security vulnerabilities in Mozilla. Find a vulnerability, get $500. At first glance this seems like a good idea for the Mozilla organization to capitalize on the publicity generated from security problems in IE and keep a few steps ahead of the race for secure browsers.

However, there have been a few grumblings lately about a larger trend of vulnerability information for sale. Vulnerability information has long had value, but that value has traditionally traded for fame and marketing for the researcher in the best case or a privately held 0-day in the worst case. Mozilla is not the first organization to pay for vulnerability information. There are a few vulnerability alert services who have been paying for a while - but it is the first open source organization to do so and one of the first technology "vendors" to yell "we will pay you to break our product" to the internet.

A FAQ on Mozilla's bounty program.

Posted by Abner on August 3, 2004 12:12 PM
Comments ARE BROKEN Send email instead - Thanks!

Recent Entries
iPhone's SIM Locks: Hardware vs. Software vs. Lawyers
Even (or especially) contests could use a security review
Vendors Responses: Voting Machines and the Pwnie Awards
Dude "Security Rocks"
iPhone Wi-Fi Vulnerability
Harry Potter Security
iPhone Hacking & Fustrations
Let the iPhone Hacking Begin
Geer heads to Washington, Again
This Just In: DRM still doesn't work
Phishing meets Internet Advertising
How long to unlock the iPhone Operating System?
Predictive Markets For Politics
The Irony of Phone Security Google Ads
Why Biometric Fingerprint Readers Are A Waste
How to Blag an Interview
Yet another Boston marketing flub
MAC vs. Vista Security
The latest in physical security
Data Loss Archive
Guerrilla Marketing Backfires in Boston
NY Times on the "Market" For Software Vulnerabilities
Not marketing security, marketing *during* security