All the latest UK technology news, reviews and analysis


Mozilla offers $10,000 bug bounty to avoid Heartbleed-style code errors

25 Apr 2014
Bag of money

Mozilla has unveiled a new $10,000 bug bounty programme to try and ensure that its Firefox browser does not contain any errors, in a bid to avoid any painful security flaws such as the recent Heartbleed and ‘go to fail’ bugs.

The firm said in a blog post that it is looking for people to help it uncover errors before it pushes out in a new certificate verification library, to be included in Firefox 31 at the end of July.

Security researchers will have until the end of June to help spot any bugs and report them to the firm. Daniel Veditz, security lead at Mozilla, wrote: “As we’ve all been painfully reminded recently correct code in TLS [transport layer security] libraries is crucial in today’s internet and we want to make sure this code is rock solid before it ships to millions of Firefox users.

“To that end we’re excited to launch a special Security Bug Bounty program that will pay $10,000 for critical security flaws found and reported in this new code before the end of June.”

There are a number of criteria that bug hunters must adhere to in order to claim any reward. The vulnerability must:

•    Be in, or caused by, code in security/pkix or security/certverifier as used in Firefox.

•    Be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”).

•    Be reported in enough detail, including testcases, certificates, or even a running proof of concept server, that we can reproduce the problem.

•    Be reported to us by 11:59pm, 30 June 2014 (Pacific Daylight Time).

“We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption,” Veditz explained.

“Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP [online certificate status protocol] responses would be.”

Other security bugs can still be worth up to $3,000 under the firm's wider Security Bug Bounty scheme, Veditz added.

The move comes in the wake of several high-profile coding errors that have sent the tech community scrambling. The Heartbleed flaw revealed that the majority of the world's web servers were not secure and millions of users of major sites were at risk.

To counter this threat web giants such as Facebook, Google and IBM have joined forces with the Linux Foundation to work more closely on the open source tools they use, to try and ensure such a major issue does not happen again.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth
About

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Web
What do you think?
blog comments powered by Disqus
Poll

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?
13%
23%
12%
7%
45%

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Trainee 1st Line IT Support Engineer/Technician

Learning4You is looking for a Trainee 1st Line IT Support...

Junior IT Consultant

Caiman Information Technology Services Ltd is seeking...

Senior .NET Software Developer

Would you like to work in a vibrant environment where...

Senior IT Technical Engineer 2nd / 3rd Line Support - VMware View

Senior IT Technical Engineer 2nd / 3rd Line Support...
To send to more than one email address, simply separate each address with a comma.