Welcome to WebmasterWorld Guest from

Forum Moderators: incrediBILL

Message Too Old, No Replies

Wanted: FireFox Security Vulnerabilities

$500 Reward: Looks like Mozilla takes security pretty seriously.

1:48 pm on Aug 2, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 9, 2003
votes: 0

Has anyone seen the latest announcement on the Mozilla.org RSS feed?


Offering $500 rewards for finding security bugs sure shows the dedication the Mozilla Foundation has for maintaining a secure browser. Do any other browser manufacturers offer this kind of incentive?

2:22 pm on Aug 2, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
votes: 2

Try: Mozilla check #1 [nd.edu] and Mozilla check #2 [cipher.org.uk] (OK the second one didn't work for me at all, and the first is clever but not perfect.)

Another bounty very similar to Mozilla's is one of $10,000 for finding a security breach in qmail. It has to be said that qmail is a far simpler codebase than Mozilla.

Although not for bug reports but rather for catching crackers, Microsoft offers $250,000 for information on virus writers.

Actually, I think this is a good move. Security researchers are already taking a close look at Mozilla, and this will only encourage more participation in the bug-hunting effort.

2:42 pm on Aug 2, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 17, 2004
votes: 0

Qmail and DJBdns are both by Daniel Burnstein (im afraid I have probably butchered the spelling) and both have [cr.yp.to] rewards [cr.yp.to] of $500 for security related bugs that have remained long unclaimed (qmails was first offered in 1997). They replaced (the notoriously insecure) sendmail and BIND respectivly (curiously both out of berkley which seems to product great programmers and terrible software).

The history aside it seems that qmail has a lower market share then that of sendmail or postfix, largly (in my opinion) because the interface and configuration differs enormously from that of sendmail which tends to break sendmail-centric programs and make migration troubling at best (postfix is designed to use an interface identical to sendmails, and the configuration varies for the better). DJBdns suffers a similar fate when compared to BIND.

I guess the moral of the story is that you can have the most secure program in the world - but if you discourage users from switching over to it it dosn't much help (In fairness I think Mozilla does not suffer this problem).