X

Bug hunter gets bounty from Mozilla

A Firefox guru receives a $2,500 reward for finding flaws in Mozilla's browser.

The Mozilla Foundation has given $2,500 to a security researcher for discovering vulnerabilities in its free Web browser.

The group paid $500 to German researcher Michael Krax for each of the five bugs he found in Firefox.

"We developed the bug bounty program to encourage and award community members who identify unknown bugs in the software," said Chris Hofmann, director of engineering for the Mozilla Foundation. "This program is one of the many ways the Mozilla Foundation produces safe and secure software for its users."

The bugs relate to chrome privileges--a mechanism that allows applications to change user interface details of the browser itself. If abused, this function could alter the 'Home' button, for example, to make it download malicious programs.

Last week, Mozilla issued an update to the browser, version 1.02, that patched a buffer overflow in legacy Netscape code still included in the browser for animating GIF images in Firefox.

Mozilla is one of the few organizations to offer financial incentives to people who find vulnerabilities. Microsoft, which charges for its products and regularly asks the user community to test beta versions of its software, has no such scheme.

A representative for Microsoft said: "We don't pay people to fix bugs, but there are other ways we try to fix security as much as possible. But we can't comment on what Mozilla does."

Microsoft also highlighted its cash reward scheme for informants who help law enforcement agencies to convict virus writers.

Dan Ilett of ZDNet UK reported from London.