Mozilla announced to giveaway an amount of $10,000 to anyone who can break the security walls of the Firefox browser. Earlier this year Firefox, along with the Google Chrome, was exploited at the Pwn2Own contest but now Mozilla has strengthen its security like it was never before. However, before rolling it out for everyone, the organization want to test it for any hidden flaws.
Daniel Veditz in a blog post said, “Firefox developer builds (“Nightly“) are now using a new certificate verification library we have been working on for some time, and this code is on track to be released as part of Firefox 31 in July. As we have all been painfully reminded recently (Heartbleed, #gotofail) correct code in TLS libraries is crucial in today’s Internet and we want to make sure this code is rock solid before it ships to millions of Firefox users. To that end we’re excited to launch a special Security Bug Bounty program that will pay $10,000 for critical security flaws found and reported in this new code before the end of June”
The other details at the Mozilla blog mentioned some guidelines for the reporter, it included,
- be in, or caused by, code in
security/certverifieras used in Firefox
- be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”)
- be reported in enough detail, including testcases, certificates, or even a running proof of concept server, that we can reproduce the problem
- be reported to us by 11:59pm June 30, 2014 (Pacific Daylight Time)
The open bug challenge is for the upcoming Firefox 31, where the current version of the browser is Firefox 28, and soon in a day or two Mozilla is also launching the version 29.0.
Daniel Veditz also said, “We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption. Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be.”
The security experts already know that the security is an overall process and its achieved gradually. Bug hunters may or may not find any flaws, but nothing in this world can be 100% secure.