RSSMozilla Bug Bounty Raises Questions
By David Worthington | Published March 31, 2005, 5:37 PM
The Mozilla Foundation has awarded $2,500 USD in "bug bounties" to a German man who tracked down five separate security flaws in the Mozilla browser's code. The bounty program is an effort to make open source software more safe and secure.
Since the program's inception in 2004, five individuals have received compensation. Michael Krax, the latest recipient, uncovered bugs in Mozilla's chrome privileges. Funding is provided by Linspire and Mark Shuttleworth.
"We developed the bug bounty program to encourage and award community members who identify unknown bugs in the software," said Chris Hofmann, director of engineering for the Mozilla Foundation. "This program is one of the many ways the Mozilla Foundation produces safe and secure software for its users."
The approach is not without its critics. Jupiter Research senior analyst Joe Wilcox told BetaNews such a reward could end up increasing the number of bugs by paying the same hackers capable of exploiting them.
"Uncovering bugs can be a good thing, particularly when security related. The question: Who should uncover those bugs? For years, antivirus companies have offered virus bounties, but I'm skeptical about the approach, which actually could encourage some people to write viruses," said Wilcox.
The task of identifying bugs in Mozilla's software has taken on new meaning in the wake of the surging popularity of the Firefox Web browser. In February 2005, Firefox surpassed 25 million downloads. What's more, a recent survey reports that Firefox is used by 5.69 percent of Web surfers.
The Mozilla Foundation has released two security updates to Firefox since the official launch of version 1.0 last November. The updates featured a number of security fixes that addressed a highly publicized spoofing vulnerability and a potential exploitation of Netscape-era legacy code.
Firefox proponents insist that the software is a secure alternative to Microsoft's Internet Explorer and provides a safer Web browsing experience. In a biannual Internet Threat Report published by Symantec, 21 vulnerabilities were found in Mozilla-based browsers in the second half of 2004; seven of those received a "critical" designation. In comparison, Internet Explorer browser experienced nine critical bugs.
"The Internet Explorer versus Firefox security debate comes down to this: not the number of bugs but the ability to quickly fix them," said Jupiter's Wilcox.
"Microsoft contends that its control over the source code and commercial resources mean faster fixes to major bugs. Open source advocates claim the all-eyes approach will diminish the number of bugs and marshal tens of thousands when there is crisis. If I were an IT manager, the bug bounty wouldn't instill confidence in the open source position."
For its part, Microsoft says its policy is to acknowledge in security bulletins the bug finders who work responsibly with the company. "Microsoft does not pay security researchers for bringing vulnerabilities to our attention," a company spokesperson told BetaNews.
Nate Mook contributed to this report.
which is why MS will never impliment a simular program. They would go broke in payouts for how many holes and bugs are in their programs and oses
Score: 0
|Mozilla can be forgiven for a few bugs — as can Microsoft — but they both continue to get better. Still, paying for bug finders is like paying the mugger not to rob you.
Score: 0
|Are you kidding me? I can't see how this program can be viewed as a bad thing. Maybe if someone contributed a piece of bad code and then attempted to make money off the fix for it, but that isn't the case. This is rewarding people for disclosing security bugs instead of exploiting them. Someone who discovers a bug can now debate as to whether they want to make people suffer by exploiting it, or would they rather put a quick grand in their pocket and get their name recognized for doing something good. Sounds like a good plan to me....
Score: 0
|That's what I was thinking. I don't see how this is bad. It's not like report/claim doesn't get reviewed thoroughly.
Score: 0
|Not a bad thing at all. Your analogy doesn't make sense either. Because the people who are discovering these hole are not exploiting them. They like consultants in a security area.
Score: 0
|This is the whole reason for open source. To allow others to contribute to the betterment of the application. Haven't heard of anyone attacking an OS thru Firefox or Mozilla because of a security issues, all I have heard is that the ones finding the security holes are helping to patch them up...If MS had something like this, in a perfect world, there may be less attacks, who knows!
Score: 0
|Just a quick comment, do we realize that most of IE's bugs or 'Critical Updates' are fixed before the public even knows about them? Microsoft releases the patch to correct the holes they already know about then; someone reverse Engineers the patch to exploit what Microsoft has already found. Example - Sasser: The patch to correct this exploit came out 10 days before the first machine was even attacked. It's the fault of the users who NEVER patched their system '10 days' earlier. The debate shouldn't be about who's browsers or OS is more secure or how many bugs each has had but if each user is going to be responsible for their own system. Writers of viruses like Sasser know the percentage of people who have patched their system doesn't even measure up to the amount of people who never. I think that any company that promotes people to try and hack into their systems is just asking for trouble. Eventually they are going to find something! I think this article should open eyes. It doesn't mater what software or combination of software you use, if 'YOU' don't use it correctly then you're not safe from exploits, It’s not the software fault; IT”S YOURS, THEIRS, AND MINE! Peace!
Score: 0
|I would imagine that any company that knows of a bug would patch it as soon as possible, that is what the bug bounty is for after all, isn't it? Open source has a place in the future and it's not going anywhere, better get used to it.
Score: 0
|Hmmm, MS has been taken to task before for not fixing bugs reported by others-- & further, not even warning the public about other steps they may take to avoid particular vulnerabilities.... for months at a time sometimes....
Score: 0
|But if the mugger teaches you and all your friends judo, was it really a bad deal?
There will always be bugs in code, but there are a finite number of them. If you can minimize the damage they do thats a Good Thing(tm). Eat the damages in the production phase or eat them in bad PR. FireFox wouldn't be so popular if it weren't for the bad PR Microsoft has been getting.
What Mozilla Foundation is saying, "We care enough about bugs, that we want you to find them before they become grandfathered; and we will pay you."
Microsofts reputation is "We only fix bugs when they are exploited."
MF is a tad more progressive :-)
Score: 0
|