Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla Bumps Security Bug Bounty To $3,000

kdawson posted about 4 years ago | from the doing-well-by-doing-good dept.

Mozilla 73

Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."

cancel ×

73 comments

FP (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#32927116)

FP bitches

Re:FP (0)

Anonymous Coward | about 4 years ago | (#32936880)

67th post, bitches!

Insulting? (3, Insightful)

CannonballHead (842625) | about 4 years ago | (#32927194)

Why is it insulting? Maybe it's "too little" but getting money for what most companies don't pay for is insulting?

Are people really that stuck up? hehe.

Re:Insulting? (2, Funny)

sakdoctor (1087155) | about 4 years ago | (#32927292)

I take all pricing set above or below the true market value to be a PERSONAL insult!
You insensitive clod.

Re:Insulting? (1)

CannonballHead (842625) | about 4 years ago | (#32927336)

Pricing ABOVE true market value is a personal insult, too? Yikes. ;)

Re:Insulting? (1)

robmv (855035) | about 4 years ago | (#32927768)

maybe that means... "I have a lot of money to waste and you not" jaja

Re:Insulting? (1)

ArsonSmith (13997) | about 4 years ago | (#32931756)

But $500 was the market value. That was the most that the Moz foundation was willing to pay for sec bugs.

They got a bunch of the low hanging fruit with that.

Now at $3k they'll get the next harder sec bugs reported and fixed, as well as paying out some more money for fewer bugs.

At some point I bet they'll raise it again to maybe $10k, $20k, $100k as they find and nail down all security problems. Wasn't Tex or LaTex or something done in a similar way as well?

Re:Insulting? (1)

Tubal-Cain (1289912) | about 4 years ago | (#32955748)

I admit I don't know much about it, but I don't get the impression that TeX support as much of a moving target as Web browser security/UI/standards/etc. What massive changes has LaTeX needed to undergo these last few years in order to stay relevant? Mozilla has improved their Acid3 support, deal with security vulnerabilities that will never apply to LaTeX, added Theora support for the <video> tag, they're probably working on the rest of HTML5, they're changing to a Chrome-like UI, they're overhauling their plugin system...so much opportunity for "trivial" bugs.

Re:Insulting? (1)

darthflo (1095225) | about 4 years ago | (#32974762)

You're probably thinking of these [wikipedia.org] . Not quite $3000, but 0x$1 is a start.

Re:Insulting? (3, Insightful)

AHuxley (892839) | about 4 years ago | (#32927304)

Yes for what most post to blogs, forums, mailing lists ect for free its a fair amount esp for any student.

Re:Insulting? (1)

CannonballHead (842625) | about 4 years ago | (#32927354)

Precisely. $3000 is of course more than $500, and Google certainly could afford more ... although, on the other hand, Google has way more products to find bugs in, etc. Anyways, the whiff of "entitlement" in that statement seems strong to me.

Re:Insulting? (3, Informative)

Lunix Nutcase (1092239) | about 4 years ago | (#32927518)

What entitlement? Finding these major exploits are not easy and can easily take weeks or months or work to uncover. To think that $500 is a sufficient payment to recompense them for their work is a joke. Especially when they can get anywhere from 10 to 100 times that by selling these exploits to the black market.

Re:Insulting? (1)

CannonballHead (842625) | about 4 years ago | (#32927800)

Maybe they aren't catering to those types of people?

Re:Insulting? (1)

Lunix Nutcase (1092239) | about 4 years ago | (#32928046)

They aren't catering to security researchers? Who else are they supposed to be catering to?

Re:Insulting? (1)

CannonballHead (842625) | about 4 years ago | (#32928668)

Already-known professional security researchers are the only ones that can provide these? Maybe they are trying to get young whipper-snappers.

Re:Insulting? (1)

xouumalperxe (815707) | about 4 years ago | (#32928972)

Would those younger whipper-snappers not be able to get more than 500$ on the black market, then?

Re:Insulting? (1)

CannonballHead (842625) | about 4 years ago | (#32931498)

That is another argument... but in that case, Google is stupid, not insulting. If you want to argue that route, I may agree with you.

Re:Insulting? (2, Informative)

ewanm89 (1052822) | about 4 years ago | (#32931490)

Google bounty only applies to chromium, Mozilla bounty applies to all beta, rc and stable releases of all products and services.

Re:Insulting? (3, Insightful)

Lunix Nutcase (1092239) | about 4 years ago | (#32927368)

Except that the people who will mostly be discovering these bugs and exploits are not students. They are going to be professionals that can get upwards of $10,000+ depending on the severity of the exploit they find.

Re:Insulting? (1)

HungryHobo (1314109) | about 4 years ago | (#32927512)

meh, I'm student and a comp sci grad and I almost certainly won't find anything but that figures enough that I'll be spending a few evenings this week examining the firefox source code.

Re:Insulting? (3, Insightful)

Lunix Nutcase (1092239) | about 4 years ago | (#32927544)

These researchers don't find the exploits and bugs by reading the source code. They do it by fudging around with the binary while the program is running.

Re:Insulting? (1)

gumbi west (610122) | about 4 years ago | (#32930640)

Do you mean besides Charlie Miller frequent pwn2own winner? [tomshardware.com] He uses fuzzers and source code, and even reverse engineers binaries.

Re:Insulting? (2, Funny)

Lunix Nutcase (1092239) | about 4 years ago | (#32930744)

He may use source code if it's available, which it isn't for IE which has has found exploits in, once he's found something by after doing the fuzzing but I can assure you he doesn't just stare at the source code and go "AHA! A BUFFER OVERFLOW!!".

Re:Insulting? (1)

ewanm89 (1052822) | about 4 years ago | (#32931672)

If the source is available, they'll also read through it. It's quite possible that they'll notice something someone else didn't especially if 1) they didn't write the code and 2) they know the kinds of things they are looking for. When code is not available a common step is to disassemble the code and to start to reverse engineer it.

Automatic fuzzers and exploit testers seldom provide results as 1) vendors can and generally do run such tests themselves and 2) they only test for the particular cases they are programmed to look for, not new slightly more obscure cases.

Re:Insulting? (1)

n6mod (17734) | about 4 years ago | (#32927654)

But to make tens of thousands on the black market, you really need a weaponized exploit. Mozilla will be quite happy with a detailed bug report.

Re:Insulting? (2, Informative)

gumbi west (610122) | about 4 years ago | (#32930738)

No, Charlie Miller talks about much larger payouts from MS. He said, "I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." here [zdnet.com] .

Re:Insulting? (1)

ewanm89 (1052822) | about 4 years ago | (#32931714)

No, someone else can weaponise it easily, have you seen the way metasploit works? It takes little common exploit and common payload and sticks them together into one weaponised exploit.

Re:Insulting? (1)

b4dc0d3r (1268512) | about 4 years ago | (#32937016)

while you can make an argument that you are technically correct, "upwards of $10,000" is pretty misleading, "less than $5000" would be a better figure.

Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."

Re:Insulting? (1)

gad_zuki! (70830) | about 4 years ago | (#32927356)

I think "insulting" is code for "the market value of this vulnerability is much higher. I'd rather sell it to buyer other than Mozilla." In other words, most ethics are based in economics. Its easy to do good when there's money involved in doing so.

Re:Insulting? (0)

Anonymous Coward | about 4 years ago | (#32928528)

Right. By setting the price low, they motivate the altruistic and well-intended researchers without attracting increased attention from those who have less favourable motives. A researcher whose personal business model includes finding ways to screw Mozilla is unlikely to flip for a simple fee increase alone.

Re:Insulting? (1)

ewanm89 (1052822) | about 4 years ago | (#32931782)

No, but they are more likely to let mozilla know about the exploit than stick it into the blackmarket, the fact that if they find something that gains access to mozilla's employee database or somesuch they may still screw with it, that's something else entirely.

Re:Insulting? (1)

gumbi west (610122) | about 4 years ago | (#32930814)

No, I think the $500 offered by google is insulting because it's like offering some $10 to clean your house when it would cost them more than that to drive there. Interestingly, people don't seem to mind that much when the price is like $1 million, i.e. DARPA has given prizes of this size and the winner has spent six times that (not to mention all the looser) but I think if DARPA didn't want to offer the $1 million, they would be better off offering nothing than, i.e. $50, because the nothing suggests that it was a difficult prize to price, or that winning it was its own substantial reward, while $50 suggests that the prize wasn't worth that much--it would be an insult to the winner.

Re:Insulting? (2, Insightful)

alexmipego (903944) | about 4 years ago | (#32927364)

If you work on something you usually like to get paid. It's considered insulting to pay just 500$ for a bug simply because you can get a much higher paycheck if you sell it on the black market. So, if you're into security research to make money, 500$ is an insult to people's time.

Re:Insulting? (1)

Dare nMc (468959) | about 4 years ago | (#32928396)

It's considered insulting to pay just 500$ for a bug

Donald Knuth used to pay $2.56 per bug found in his programming books, the recognition was more valuable than the amount and most people would frame the checks and never cash, as a matter of pride "I was recognized."
So getting a acknowledgment of finding a bug +value, getting significant money as well ++ value. Not worrying about selling your bug to people who might kill you if they think you screwed them or turned them in, and not worrying if the FBI, etc will throw you in jail for breaking laws... priceless.

Re:Insulting? (1)

alexmipego (903944) | about 4 years ago | (#32928916)

Finding a bug in a book is a matter of reading, proof reading and testing every example on the book to see if it works well. You could say it's an exact science because you can simply define a couple rules and follow them until you find a small mistake.

Finding a bug on a software isn't that simple. For starters there are millions of lines of code and unlike books a single line can affect millions of other line's logic paths/assumptions/etc. There is no single method you can apply to find a bug and that's why security research is so hard.

No matter how good a security researcher you are, you can never be 100% sure before hand that you can find a bug. Add that to the fact that the rules usually are something like "Critical Bugs only" and you've very few chances of success.

If you're not being paid a steady check to work on something like Mozilla or Chrome, chances are that 500$ isn't enough to make you learn their code, test and find something that you might never even find.

Re:Insulting? (1)

Dare nMc (468959) | about 4 years ago | (#32930312)

Finding a bug on a software isn't that simple. For starters there are millions of lines of code

That is likely true for fixing a bug. No where did it say you had to find the line of code, that causes the issue. But finding a bug in software, when you have the software, and say it was free software so anyone could use it... Then the difficulty in finding a bug could be as simple as downloading a copy of Mozilla and using it.
Similar to this security issue bounty, his bounty wasn't for grammer, it was for finding a significant issue. Most likely this $500 gives enough incentive to pay for the time spent after discovering something, to see if it's repeatable, document, submit, and answer questions...

Re:Insulting? (1)

alexmipego (903944) | about 4 years ago | (#32930610)

That's true if you're the casual finder, but not if you live of security research.

I do know it isn't as simple as looking at the code and sometimes you don't even do that, the point was that finding a bug on something as widely tested and used and a browser isn't as simple as proof-reading a book.

Re:Insulting? (1)

ArsonSmith (13997) | about 4 years ago | (#32931580)

So the solution is to write a book about Firefox?

Re:Insulting? (2, Informative)

quickOnTheUptake (1450889) | about 4 years ago | (#32929014)

There is a big difference between a personal check from a legend and a check from a foundation or company. I would frame a check from Knuth; I would cash a check from Mozilla.

Re:Insulting? (1)

mots (1192769) | about 4 years ago | (#32929058)

Similarly, google pays $1337 for particularly severe or particularly clever bugs.

Re:Insulting? (1)

ewanm89 (1052822) | about 4 years ago | (#32932030)

He still does, (figuratively, anyway, it's now a hall of fame on his website). He did it for TeX too, the key is his pricing scheme with TeX was such that the next bug would be exponentially more expensive, as that way as there were less bugs left to find so he payed more for finding them. However as TeX is now in several different implementations that aren't maintained by Knuth, he nolonger needs to worry about the TeX ones.

Re:Insulting? (1)

Goaway (82658) | about 4 years ago | (#32927370)

The companies may not pay for it, but that does not mean there are not others who will pay.

In related news... (-1, Troll)

thijsh (910751) | about 4 years ago | (#32927204)

Mozilla also announced that the criteria for 'security bugs' require an attack vector that completely compromises the system from a remote location without internet connection. All other bugs are not treated as 'security' bugs, but rather: 'unwanted features', the bounty for this is of course limited to a 'quit complaining, you got it for free' letter... oh wait, I forgot, who are ripping on again?

The actual criteria (5, Informative)

Anonymous Coward | about 4 years ago | (#32927402)

Mozilla also announced that the criteria for 'security bugs' require an attack vector that completely compromises the system from a remote location without internet connection. All other bugs are not treated as 'security' bugs, but rather: 'unwanted features', the bounty for this is of course limited to a 'quit complaining, you got it for free' letter.

OK, here are the actual criteria, fresh from TFA:

  • Security bug must be original and previously unreported.
  • Security bug must be a remote exploit.
  • Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging./li>
  • Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.

Re:The actual criteria (0)

Anonymous Coward | about 4 years ago | (#32931496)

ooh, so they omit the massive security hole of their plugin approval process

Re:In related news... (1, Informative)

Chapter80 (926879) | about 4 years ago | (#32927548)

4 Insightful?

Did you mods even read this? Completely compromises the system from a remote location without internet connection?

Cmon!

Re:In related news... (1)

gumbi west (610122) | about 4 years ago | (#32930928)

The /. editors have infinite mod points and can add more than 1 to a comment. Usually when I see a way out of bounds mod like this that then gets corrected back to reality I wonder if the editor was just being a tool. But since we can't see editor mods separately so you never do know, maybe early birds are just different moderators than late comers.

Re:In related news... (1)

PseudonymousBraveguy (1857734) | about 4 years ago | (#32927682)

Mozilla has a history of paying those bounties, why should that change? Have I missed that they are somehow evil now?

Many eyes make all bugs shallow...not (1, Funny)

Anonymous Coward | about 4 years ago | (#32927268)

<nt>

Knuth (1)

mandelbr0t (1015855) | about 4 years ago | (#32927520)

It worked for him; the cheque from him was worth far more than the value printed on it. I think that offering rewards for disclosure can only lead to better code. Microsoft hasn't yet implemented this method as they would rapidly go broke.

Find and recreate can take time (1)

bzipitidoo (647217) | about 4 years ago | (#32927604)

As an example, text box input of Firefox used to have some bad bugs I never did track down, though I tried. After much editing and jumping about in the text box, sometimes using backspace would erase the wrong character. Would remove a character at the end of a line several lines above the cursor. Tried to recreate the bug with sequences of keystrokes I guessed might cause it, but no luck. I thought of buying a keylogger so I could capture the keystrokes the next time it happened. But that was getting to be more work than I was willing to do for free, so I never did. Haven't seen that bug in a long time, so I suppose it was inadvertently fixed when rewriting parts of Firefox.

Understandably, developers have this attitude that if it can't be easily recreated, it's not worth hunting down, or the persons who noticed the problem should hunt it down themselves. After all, it could be a PEBKAC. Often a bug like that isn't worth chasing down. What such a bug shows is that the code that handles text input is garbage and ought to be rewritten from scratch, and I think that is what eventually happened.

Que the... (1)

NetNed (955141) | about 4 years ago | (#32927866)

"It's not a bug, it's a feature!"

Re:Que the... (0)

Anonymous Coward | about 4 years ago | (#32932588)

No, you mean "Cue the..."

Bad Idea (2, Informative)

slasho81 (455509) | about 4 years ago | (#32928126)

Giving money for finding bugs is counterproductive. Here's why: http://www.youtube.com/watch?v=AIqtbPKjf6Q [youtube.com]

Re:Bad Idea (1)

bunratty (545641) | about 4 years ago | (#32928384)

That video explains why giving a low amount such as $500 is counterproductive. Paying a fair amount of money for security research is compensating people for the time and effort for finding and reporting the bug. As an example from the video, it's like giving someone $50, a fair amount, to change your tire instead of $1, which is an insulting amount.

Re:Bad Idea (1)

slasho81 (455509) | about 4 years ago | (#32928464)

You completely missed the point. It's about the social contract.

Re:Bad Idea (1)

bunratty (545641) | about 4 years ago | (#32928666)

We don't have a social contract with Mozilla. It's a corporation. Do you build a social relationship with Mozilla so it can help you in times of distress? It sounds like you missed the point.

Re:Bad Idea (1)

dveditz (11090) | about 4 years ago | (#32933458)

A public benefit corporation wholly owned by a non-profit foundation. If you don't think this approach furthers the mission please let us know.

Re:Bad Idea (1)

bunratty (545641) | about 4 years ago | (#32933622)

I think it does further the mission. Giving $3000 per security bug is not counterproductive because security researchers do not have a social contract with Mozilla. Mozilla will not give us a ride to work if our car breaks down. Mozilla giving $3000 for a security bug is not like giving your mother-in-law money for Thanksgiving dinner for this reason.

Re:Bad Idea (1)

TravisO (979545) | about 4 years ago | (#32929158)

Dan is talking about paying money as a routine, like a salary. The security exploit pay is like a reward, you don't get paid for the effort, anybody can make the effort but only 1% of the people who would try are capable of finding a real security hole. The effect doesn't apply.

Re:Bad Idea (0)

Anonymous Coward | about 4 years ago | (#32929450)

Did you even watch the video?

Re:Bad Idea (1)

sunwolf (853208) | about 4 years ago | (#32934394)

....aaaaand more: http://www.youtube.com/watch?v=u6XAPnuFjJc [youtube.com]

Re:Bad Idea (1)

bunratty (545641) | about 4 years ago | (#32934588)

I don't see how that applies in this situation, either. Mozilla is not paying people to specifically look for security problems in Firefox. The security researchers do whatever they want -- they're autonomous, doing the research they want to do for their own motivation. If during their work they happen to find a bug in Mozilla, this makes it easy for them to do the right thing and report the problem to Mozilla first, before someone else finds the problem.

According to the video, if they employed security researchers to specifically look for security bugs in Firefox, it would not work to give them a large bonus for each security bug found. That's not what they're doing, though.

Re:Bad Idea (1)

BZ (40346) | about 4 years ago | (#32935140)

This isn't money for finding bugs. This is money for, once you have found a bug, reporting it to Mozilla as opposed to selling it on the black market or just posting it on your blog so as to 0-day users.

That is, the assumption is that people are looking for bugs and are perhaps finding them. The bounty is to convince them to do things _after_ that in a way that does minimal harm to Mozilla's user.

and sitting in front of my computer (1)

nimbius (983462) | about 4 years ago | (#32928392)

right now using firefox, all i can think is not about how much the firefox team would be glad to receive my find, but how amazed the pub will be when I start my $3000 tab for top shelf microbrews!

Oblig Dilbert Quote (1)

Spikeorama (724224) | about 4 years ago | (#32930076)

I need to sign up to work on Mozilla products! Boss: "Our goal is to write bug free software. I'll pay a ten-dollar bonus for every bug you find and fix. I hope this drives the right behavior." Wally: "I'm gonna write me a new minivan this afternoon!"

Re:Oblig Dilbert Quote (2, Informative)

bunratty (545641) | about 4 years ago | (#32930254)

This is the exact reason for the disqualification criterion for the bug bounty [mozilla.com]

In concert with those changes, we are also updating the eligibility language to make it clear that Mozilla reserves the right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users.

$10,000 per flaw (1)

AthleteMusicianNerd (1633805) | about 4 years ago | (#32930266)

Is what it would take to get me to look at it.

Re: better idea for $3,000 per bug (0)

Anonymous Coward | about 4 years ago | (#32931340)

Bounty systems are totally worthless. At most one person gets paid for the concurrent labor of dozens of people trying to "win" the contest; meanwhile they're all out the time they spent working for free. If it takes a skilled person a week and a half to find a bug, and the person is guaranteed to receive compensation for the work involved in finding the bug, then the discovery of the bug is worth about $3,000. However, if ten people are competing for the same jackpot, then the total work done is worth $30,000. All but one of those people are probably going to miss a mortgage payment.

Better idea: Offer to pay smart people $400 per day to audit source code. Bring in 7 people per day, so you're paying $2,800 per day. Because the people are all working together and being directed to problem areas by management, they'll be able to work efficiently in parallel, and you'll end up getting a week and a half worth of work done every day, and on average the team will discover a bug every day. Give the person who finds the bug a $200 bonus, and bring them all back tomorrow. Total: $3,000 per bug (average).

Re: better idea for $3,000 per bug (0)

Anonymous Coward | about 4 years ago | (#32931584)

and you wouldn't even need to get out of bed to do it!

microsoft bug fix (1)

helix2301 (1105613) | about 4 years ago | (#32937408)

Microsoft would never do this they would get hackered apart worse then they do now with virus and spyware problems. There PR department would be out of control busy. Plus Microsoft patch team would have to be doubled in staff. Patch Tuesday would be every Tuesday.

Where are they getting the money? (1)

tjstork (137384) | about 4 years ago | (#32940534)

Just curious, but who is donating bucks to Mozilla?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...