It pays to bug hunt
Mozilla says it's awarded bug hunters around $1.6 million to date, and while that's a tidy sum, the browser maker is willing to up the ante in order to increase the security of Firefox.
Five years ago, Mozilla increased the award amount for discovering security flaws to $3,000. However, they had to be rated Critical or High to qualify for a monetary award. That's no longer case -- going forward, Mozilla will fork over funds for fishing out vulnerabilities rated as Moderate with awards ranging from $500 to $2,000. Mozilla also added a category that pays out $10,000 or more for what it considers a "Novel" vulnerability or exploit.
Here's a look at the new pay scale:
- $500 to $2,500: Medium vulnerability
- $3,000: Minimum for a high or critical vulnerability
- $5,000: High quality bug report of a critical or high vulnerability
- $7,500: High quality bug report with clearly exploitable critical vulnerability
- $10,000+: Novel vulnerability and exploit, new form of exploitation or an exceptional vulnerability
While $10,000 and higher awards will obviously be rare, it's nice that Mozilla has added a $500 to $2,500 tier for bugs that aren't as severe. The exact amount will continue to be determined by those serving on Mozilla's Bug Bounty Committee, and while not all medium vulnerabilities will qualify for an award, "some will," Mozilla says.
Details of Mozilla's bug bounty program can be found here.
Follow Paul on Google+, Twitter, and Facebook
From maximumpc
from http://bit.ly/1KCDRQe
