All the latest UK technology news, reviews and analysis

Mozilla offers $10,000 bug bounty to avoid Heartbleed-style code errors

25 Apr 2014
Bag of money

Mozilla has unveiled a new $10,000 bug bounty programme to try and ensure that its Firefox browser does not contain any errors, in a bid to avoid any painful security flaws such as the recent Heartbleed and ‘go to fail’ bugs.

The firm said in a blog post that it is looking for people to help it uncover errors before it pushes out in a new certificate verification library, to be included in Firefox 31 at the end of July.

Security researchers will have until the end of June to help spot any bugs and report them to the firm. Daniel Veditz, security lead at Mozilla, wrote: “As we’ve all been painfully reminded recently correct code in TLS [transport layer security] libraries is crucial in today’s internet and we want to make sure this code is rock solid before it ships to millions of Firefox users.

“To that end we’re excited to launch a special Security Bug Bounty program that will pay $10,000 for critical security flaws found and reported in this new code before the end of June.”

There are a number of criteria that bug hunters must adhere to in order to claim any reward. The vulnerability must:

•    Be in, or caused by, code in security/pkix or security/certverifier as used in Firefox.

•    Be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”).

•    Be reported in enough detail, including testcases, certificates, or even a running proof of concept server, that we can reproduce the problem.

•    Be reported to us by 11:59pm, 30 June 2014 (Pacific Daylight Time).

“We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption,” Veditz explained.

“Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP [online certificate status protocol] responses would be.”

Other security bugs can still be worth up to $3,000 under the firm's wider Security Bug Bounty scheme, Veditz added.

The move comes in the wake of several high-profile coding errors that have sent the tech community scrambling. The Heartbleed flaw revealed that the majority of the world's web servers were not secure and millions of users of major sites were at risk.

To counter this threat web giants such as Facebook, Google and IBM have joined forces with the Linux Foundation to work more closely on the open source tools they use, to try and ensure such a major issue does not happen again.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Web
What do you think?
blog comments powered by Disqus

Microsoft Azure outage

Is cloud computing reliable enough for business yet?

Popular Threads

Powered by Disqus
Samsung Galaxy S5 has a 5.1in 1080p HD Super AMOLED screen

Galaxy S5 waterproof claims tested out

We test whether Samsung's latest flagship really can repel water

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

IT Helpdesk / Support Analyst - MS Windows, Office

IT Helpdesk / Support Analyst - MS Windows, Office...

Support Engineer - Windows, MS Office

Support Engineer - Windows, MS Office Support Engineer...

Service Desk Analyst / Helpdesk Analyst - Legal, MS Office 2010, Windows 7

Service Desk Analyst / Helpdesk Analyst - Legal, MS Office...

Technical Support Analyst / Service Desk Analyst (Legal, MS Office, ITIL) - 24/7

Technical Support Analyst / Service Desk Analyst (Legal...
To send to more than one email address, simply separate each address with a comma.