The Inquirer-Home

Mozilla offers $10,000 bounty for 'rock solid' Heartbleed protection in Firefox 31

Appoints a CTO as well
Fri Apr 25 2014, 12:32

heartbleed bugMOZILLA IS OFFERING a $10,000 security bug bounty to the lucky coder that can ensure its Firefox web browser code is "rock solid" against vulnerabilities like Heartbleed when it releases Firefox 31 in July.

"As we've all been painfully reminded recently (Heartbleed, #gotofail) correct code in TLS libraries is crucial in today's Internet and we want to make sure this code is rock solid before it ships to millions of Firefox users," the firm said in a blog post by Mozilla security lead Daniel Veditz.

The software outfit has therefore launched a security bug bounty programme that will pay $10,000 for critical security flaws found and reported in this new code before the end of June.

To qualify for the bounty the bug and reporter must first meet the guidelines of Mozilla's normal security bug bounty programme, that is, the first to file wins in case of duplicates, employees are not eligible, and so on.

However, in addition, to qualify for the special bounty amount, Mozilla said the vulnerability must "be in, or caused by, code in security/pkix or security/certverifier as used in Firefox; be triggered through normal web browsing, for example 'visit the attacker's HTTPS site'; be reported in enough detail, including test cases, certificates, or even a running proof of concept server, that [Mozilla] can reproduce the problem; and be reported by 11:59pm PDT on 30 June".

Verditz wrote, "We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption."

He added, "Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be."

Veditz said that valid security bugs that don't meet the specific parameters of this special programme will still remain eligible for Mozilla's usual $3,000 security bug bounty.

To enter, file a security bug at bugzilla.mozilla.org and send the bug ID or link by mail to security@mozilla.org.

Along with the news of the special bug bounty, Mozilla also announced a new CTO, Andreas Gal, who was promoted from engineer. He helped speed up the Firefox browser at a crucial moment and then helped launch the Firefox OS project.

Gal joined Mozilla over six years ago to apply his PhD research to significantly advance the Javascript engine that powers Firefox with just-in-time compilation, and since then has helped in nearly all of Mozilla's major technology initiatives, including Firefox OS, Rust, Servo, pdf.js and Shumway.

"Andreas will have responsibility for leading technical decision making, representing Mozilla externally on technology, and managing our R&D programs," Mozilla said in a blog post. "He will also continue to serve as VP Mobile as we continue to focus our efforts on delivering and scaling Firefox OS." µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?