No announcement yet.

Bounty bug hunters!!!

  • Filter
  • Time
  • Show
Clear All
new posts

  • Bounty bug hunters!!!

    Apparently Mozilla is serious about security specially when its software are concerned! Anyway Opensource community is really reliable than some Redmond based company

    Originally posted by Mozilla Foundation
    The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. Reporters of valid critical security bugs will receive a $3000 (US) cash reward and a Mozilla T-shirt.

    Many thanks to Linspire and Mark Shuttleworth, who provided start-up funding for this endeavor.
    Reward Guidelines

    The bounty will be awarded for sg:critical and sg:high severity security bugs that meet the following criteria:

    * Security bug must be original and previously unreported.
    * Security bug must be a remote exploit.
    * Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging.
    * Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.
    * Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
    * Employees of the Mozilla Foundation and its subsidiaries are ineligible.

    If you found the security bug as part of your job (in other words, while being paid to work on Mozilla code) then we would appreciate your not applying for the bounty. Our funds are limited and we would like this program to focus on people who are not otherwise paid to work on the Mozilla project.

    Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla's end users.

    If two or more people report the bug together the $3000 reward will be divided among them.

    Please file a bug describing the security bug; be sure to check the box near the bottom of the entry form that marks this bug report as confidential. We encourage you to attach a "proof of concept" testcase or link to the bug report that demonstrates the vulnerability. While not required, such a testcase will help us judge submissions more quickly and accurately.

    Notify the Mozilla Security Group by email and include the number of the bug you filed and a brief summary. If you cannot file a bug include the full details in the email and attach any proof of concept testcases or links. Mozilla Foundation staff and the Mozilla Security Group will consider your submission for the Security Bug Bounty and will contact you.

    We ask that you be available to provide further information on the bug as needed, and invite you to work together with Mozilla engineers in reproducing, diagnosing, and fixing the bug. As part of this process we will provide you full access to participate in our internal discussions about the bug; for more information read our policy for handling security bugs.

    More information about this program can be found in the Security Bug Bounty Program FAQ.