In the wake of the recent discoveries of the Heartbleed OpenSSL bug and the SSL “gotofail” bug, Mozilla has announced a new and topical bug bounty program: it offers $10,000 to any researcher that discovers and responsibly reports critical security flaws in a new certificate verification library that will soon be implemented in the company’s products.
This latest special Security Bug Bounty program has been instituted to make sure that many eyes pass through the new code and to enhance the possibility that critical security vulnerabilities (if there are any) are spotted and fixed in time.
“As we’ve all been painfully reminded recently (Heartbleed, #gotofail) correct code in TLS libraries is crucial in today’s Internet and we want to make sure this code is rock solid before it ships to millions of Firefox users,” commented Daniel Veditz, Security Lead at Mozilla Corporation.
Researchers are expected to follow the previously-set guidelines for participating in the program, and will receive the $10,000 prize if the bug is found in or caused by code in security/pkix or security/certverifier as used in Firefox; is triggered through normal web browsing; and is adequately reported (details, testcases, certificates, perhaps even a PoC) by the end of June.
“We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption,” Veditz explained. “Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be.”
Other bugs that are found but not satisfy the criteria for this special bug bounty program will still be eligible for the long-standing one.