Mozilla Raises Bug Bounty To $3000 For Security Bugs

Mozilla seems to have now stepped up to the plate to actually pay security researchers for their time spent uncovering new vulnerabilities in their software. The following is taken from the Mozilla Security Bug Bounty Program web site. “The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. Reporters of valid critical security bugs will receive a $3000 (US) cash reward and a Mozilla T-shirt.”

This is great news and really shows that they’re serious about weeding out the bugs in their software, but the question is, if not for profit organization can afford to pay $3000 for a security bug, then why the hell are places like Microsoft, Apple and Oracle not doing the same? I know that we can go through Tippingpoint’s Zero Day Initiative or iDefense’s ZDI, but still. This really is a great initiative, and will get me spending some late nights trying to find some new bugs.

As security researchers I’m beginning to think that we should all start looking into the companies that pay for bugs with a lot more effort, and they seem to actually care about the security of their products, and I personally have no problem spending a few late nights to try and find a bug in some software if I know that I’m going to get paid for it.

On the other hand, companies such as Microsoft complain when someone releases a 0-day exploit, but you have to wonder if this would have happened had they had the same sort of bug bounty scheme in place. If Microsoft paid security researchers a fair fee for bugs found in their software, then I’m pretty sure the amount of 0-days released by security researchers would drop considerably. It would have to be worthwhile, for example, if Microsoft were to structure their payment on the severity of the exploit, eg, if it was a bug in all versions of IE, then it would gain a much higher payment, than if it was a bug in just Windows Vista, this would have people spending more time trying to find the bugs. After all, what security researcher doesn’t want to be rewarded for his time on a financial level.

Just something for the larger software companies to think about…