Mozilla Bug Bounty Raises Questions

This bug bounty program is a great idea. Yes, it could be exploited I suppose. However, the likelihood of this money being paid to the folks that exploit them is just not something that I foresee happening.

The Mozilla Foundation has awarded $2,500 USD in “bug bounties” to a German man who tracked down five separate security flaws in the Mozilla browser’s code. The bounty program is an effort to make open source software more safe and secure.

Since the program’s inception in 2004, five individuals have received compensation. Michael Krax, the latest recipient, uncovered bugs in Mozilla’s chrome privileges. Funding is provided by Linspire and Mark Shuttleworth.

“We developed the bug bounty program to encourage and award community members who identify unknown bugs in the software,” said Chris Hofmann, director of engineering for the Mozilla Foundation. “This program is one of the many ways the Mozilla Foundation produces safe and secure software for its users.”

The approach is not without its critics. Jupiter Research senior analyst Joe Wilcox told BetaNews such a reward could end up increasing the number of bugs by paying the same hackers capable of exploiting them.

“Uncovering bugs can be a good thing, particularly when security related. The question: Who should uncover those bugs? For years, antivirus companies have offered virus bounties, but I’m skeptical about the approach, which actually could encourage some people to write viruses,” said Wilcox. [Read the rest]