August 03, 2004

Mozilla: Find a security bug, get $500

The Mozilla organization announced it will pay out at least $10,000, for the identification of security vulnerabilities in Mozilla. Find a vulnerability, get $500. At first glance this seems like a good idea for the Mozilla organization to capitalize on the publicity generated from security problems in IE and keep a few steps ahead of the race for secure browsers.

However, there have been a few grumblings lately about a larger trend of vulnerability information for sale. Vulnerability information has long had value, but that value has traditionally traded for fame and marketing for the researcher in the best case or a privately held 0-day in the worst case. Mozilla is not the first organization to pay for vulnerability information. There are a few vulnerability alert services who have been paying for a while - but it is the first open source organization to do so and one of the first technology "vendors" to yell "we will pay you to break our product" to the internet.

A FAQ on Mozilla's bounty program.

Posted by Abner at 12:12 PM | Comments (0)