Mozilla Bug Bounty Raises Questions
The Mozilla Foundation has awarded $2,500 USD in "bug bounties" to a German man who tracked down five separate security flaws in the Mozilla browser's code. The bounty program is an effort to make open source software more safe and secure.
Since the program's inception in 2004, five individuals have received compensation. Michael Krax, the latest recipient, uncovered bugs in Mozilla's chrome privileges. Funding is provided by Linspire and Mark Shuttleworth.
"We developed the bug bounty program to encourage and award community members who identify unknown bugs in the software," said Chris Hofmann, director of engineering for the Mozilla Foundation. "This program is one of the many ways the Mozilla Foundation produces safe and secure software for its users."
The approach is not without its critics. Jupiter Research senior analyst Joe Wilcox told BetaNews such a reward could end up increasing the number of bugs by paying the same hackers capable of exploiting them.
"Uncovering bugs can be a good thing, particularly when security related. The question: Who should uncover those bugs? For years, antivirus companies have offered virus bounties, but I'm skeptical about the approach, which actually could encourage some people to write viruses," said Wilcox.
The task of identifying bugs in Mozilla's software has taken on new meaning in the wake of the surging popularity of the Firefox Web browser. In February 2005, Firefox surpassed 25 million downloads. What's more, a recent survey reports that Firefox is used by 5.69 percent of Web surfers.
The Mozilla Foundation has released two security updates to Firefox since the official launch of version 1.0 last November. The updates featured a number of security fixes that addressed a highly publicized spoofing vulnerability and a potential exploitation of Netscape-era legacy code.
Firefox proponents insist that the software is a secure alternative to Microsoft's Internet Explorer and provides a safer Web browsing experience. In a biannual Internet Threat Report published by Symantec, 21 vulnerabilities were found in Mozilla-based browsers in the second half of 2004; seven of those received a "critical" designation. In comparison, Internet Explorer browser experienced nine critical bugs.
"The Internet Explorer versus Firefox security debate comes down to this: not the number of bugs but the ability to quickly fix them," said Jupiter's Wilcox.
"Microsoft contends that its control over the source code and commercial resources mean faster fixes to major bugs. Open source advocates claim the all-eyes approach will diminish the number of bugs and marshal tens of thousands when there is crisis. If I were an IT manager, the bug bounty wouldn't instill confidence in the open source position."
For its part, Microsoft says its policy is to acknowledge in security bulletins the bug finders who work responsibly with the company. "Microsoft does not pay security researchers for bringing vulnerabilities to our attention," a company spokesperson told BetaNews.
Nate Mook contributed to this report.