LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Refresh of the Mozilla Security Bug Bounty Program

[Posted July 16, 2010 by jake]

The Mozilla Security Blog has announced a refresh of the Mozilla security bug bounty. The amount awarded for bugs has gone from $500 to $3000, and bugs for Firefox Mobile and Mozilla services are explicitly included, along with other changes. "In concert with those changes, we are also updating the eligibility language to make it clear that Mozilla reserves the right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users. To be very clear, we are not modifying our position regarding payment for publicly disclosed bugs; Mozilla bounty payments are not contingent upon confidential disclosure. While Mozilla strongly encourages researchers to disclose bugs to us privately (and most researchers have), we also believe that researchers should ultimately retain control over when and how the details of their research are disclosed."
(Log in to post comments)

Best interests?

Posted Jul 18, 2010 20:48 UTC (Sun) by socket (guest, #43) [Link]

"...if the reporter has been deemed to have acted against the best interests of our users."

Inquiring minds want to know: What, exactly, do they mean by this? I'm curious what happened, or what hypothetical event could happen, that Mozilla wrote this vague caveat to protect them from?

Maybe I'm just lacking imagination, but I don't see how notifying Mozilla of a security problem could be considered "acting against the best interests of [the] users." What's an applicable scenario?

Best interests?

Posted Jul 19, 2010 1:47 UTC (Mon) by njs (guest, #40338) [Link]

Probably things like, someone who sells an exploit on the black market for 6 months and then (once the black-market value has dropped off) notifies Mozilla to wring an extra bit of cash out of it.

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds