Mozilla has unveiled a new $10,000 bug bounty programme to try and ensure that its Firefox browser does not contain any errors, in a bid to avoid any painful security flaws such as the recent Heartbleed and ‘go to fail’ bugs.
The firm said in a blog post that it is looking for people to help it uncover errors before it pushes out in a new certificate verification library, to be included in Firefox 31 at the end of July.
Security researchers will have until the end of June to help spot any bugs and report them to the firm. Daniel Veditz, security lead at Mozilla, wrote: “As we’ve all been painfully reminded recently correct code in TLS [transport layer security] libraries is crucial in today’s internet and we want to make sure this code is rock solid before it ships to millions of Firefox users.
“To that end we’re excited to launch a special Security Bug Bounty program that will pay $10,000 for critical security flaws found and reported in this new code before the end of June.”
There are a number of criteria that bug hunters must adhere to in order to claim any reward. The vulnerability must:
• Be in, or caused by, code in security/pkix or security/certverifier as used in Firefox.
• Be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”).
• Be reported in enough detail, including testcases, certificates, or even a running proof of concept server, that we can reproduce the problem.
• Be reported to us by 11:59pm, 30 June 2014 (Pacific Daylight Time).
“We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption,” Veditz explained.
“Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP [online certificate status protocol] responses would be.”
Other security bugs can still be worth up to $3,000 under the firm's wider Security Bug Bounty scheme, Veditz added.
The move comes in the wake of several high-profile coding errors that have sent the tech community scrambling. The Heartbleed flaw revealed that the majority of the world's web servers were not secure and millions of users of major sites were at risk.
To counter this threat web giants such as Facebook, Google and IBM have joined forces with the Linux Foundation to work more closely on the open source tools they use, to try and ensure such a major issue does not happen again.
Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal.