Mozilla is no stranger to bounties. They have provided bounty rewards for discovering bugs in their software in the past. Their “Bug Bounty Program” rewards individuals $500 for high severity and $3,000 for critical bugs. This is an ongoing offering, but it is separate from the recently announced $10,000 bounty.
So what is this new bounty? It’s a reward for discovering a vulnerability in the newest Firefox version, which is set to release on July 31st.
What Type of Bug Qualifies for the Bounty?
Of course, Mozilla isn’t going to throw around $10,000 at any and every bounty that gets discovered. It is important for them to reward based on the importance of discovery. So less severe bugs get smaller rewards and highly critical bugs get very generous rewards.
The $10,000 bounty is scheduled to help identify solutions to a current problem. This may or may not be as advanced as many of the $3,000 bounty finds (for highly critical bugs), but it is definitely a priority for the company.
More specifically, Mozilla is looking to discover vulnerabilities in their certificate validation process. Their coding in this area is said to be more robust as it goes through every possible trust chain to locate a certificate before terminating. Their coding is also said to be a lot easier to manage, considering that it dropped from almost 82,000 lines to just over 4,000 lines.
What Potential Problem Do They Want to Prevent?
The main concern that Mozilla has is that their newest version of Firefox may be exploitable through corrupted memory. This could be achieved by spoofing certificate chains to give a false positive for a valid certificate, or by other, unknown means.
While it’s not viewed as a direct security bug, the exploit that can result from holes in the certificate validation process can definitely create major security issues.
It is safe to assume that this bounty choice came about as a result of the discovery of the Heartbleed bug. Mozilla wants to introduce a new version of Firefox that is safe from Heartbleed and any security exploits of a similar nature. Therefore, their certificate validation coding has to be bulletproof.
A weak or inconsistent certificate validation process means that a malicious attacker could exploit the security loophole. This can allow the attacker to compromise active sessions and receive exposure to sensitive data. It is a point of entry that can allow the attacker to get almost anything they want. Credit card information, login credentials, and anything else shared with the website could easily be on what would otherwise be considered as a protected server.
What Are The Bounty Requirements?
As with any bounty program, there are a few rules and requirements that must be met in order to receive your reward. The bounty must first fall in line with all the guidelines listed on their Bug Bounty Program page. Then, it must also meet the requirements listed on Mozilla’s blog post. You can check out this post to get detailed information on the bounty guidelines and additional requirements that apply to this $10,000 bounty.
Bounties for Browsers
This is not the first time that a bounty program has been created to reward those that find security loopholes in browsers. It is actually a very common occurrence and this is just one of the many cases of it. In fact, this dwells in comparison to some of the larger bounties that are out there. For example, Microsoft has given out multiple $100,000 rewards for discovering and fixing bugs in Internet Explorer.
Google Chrome is another browser that’s further secured through a bounty program. Just recently, 31 flaws were found as a result of their “Patch Rewards Program” for Google Chrome 34.
It’s interesting, because these bounties are not something that have been around forever. They are a relatively new approach to boosting security measures. They have risen along with open source code, which is starting to become standard. In the past, no one ever wanted to give others access to their website or browser code, obviously, but now the rewards of doing so are pretty obvious.
For instance, top browsers such as Google Chrome and Microsoft Internet Explorer are used by a very large portion of the world. Challenging security experts to find exploits is the only way to completely protect these people as otherwise you find yourself hoping and praying that no vulnerabilities actually exist.
This is something that will likely continue to grow. In 2011, a $3,133 bounty was record breaking, but nowadays it’s barely anything. Quality bounties are all priced around $7,500 to $12,500 and smaller bugs often net security experts around $1,000 to $2,500 each.
Looking Into the Future
The prospective future of browsers and other major software is looking good for the average user. It’s always nice to know that these companies are putting their right foot forward and even going the extra mile by offering incentives to those that aren’t directly affiliated with their company.
Of course, there will never be an end to the potential exploits that will exist in future software releases. The Heartbleed bug is pretty solid evidence that both sides of security on the Web, the good and bad actors, are growing smarter every day. So you can definitely expect to see more bug bounty programs showing up and even greater rewards surfacing to further incentivize the smartest security experts to help make a difference.