Try: Mozilla check #1 [nd.edu] and Mozilla check #2 [cipher.org.uk] (OK the second one didn't work for me at all, and the first is clever but not perfect.)

Another bounty very similar to Mozilla's is one of $10,000 for finding a security breach in qmail. It has to be said that qmail is a far simpler codebase than Mozilla.

Although not for bug reports but rather for catching crackers, Microsoft offers $250,000 for information on virus writers.

Actually, I think this is a good move. Security researchers are already taking a close look at Mozilla, and this will only encourage more participation in the bug-hunting effort.

Qmail and DJBdns are both by Daniel Burnstein (im afraid I have probably butchered the spelling) and both have [cr.yp.to] rewards [cr.yp.to] of $500 for security related bugs that have remained long unclaimed (qmails was first offered in 1997). They replaced (the notoriously insecure) sendmail and BIND respectivly (curiously both out of berkley which seems to product great programmers and terrible software).

The history aside it seems that qmail has a lower market share then that of sendmail or postfix, largly (in my opinion) because the interface and configuration differs enormously from that of sendmail which tends to break sendmail-centric programs and make migration troubling at best (postfix is designed to use an interface identical to sendmails, and the configuration varies for the better). DJBdns suffers a similar fate when compared to BIND.

I guess the moral of the story is that you can have the most secure program in the world - but if you discourage users from switching over to it it dosn't much help (In fairness I think Mozilla does not suffer this problem).