As web browser wars continue, it looks like Mozilla Firefox is losing a lot of ground to the popular Internet Explorer 8. Of course, Microsoft does have the advantage of shipping a large number of computers (running Windows) with IE as the default browser. But let’s face it, at this time Firefox is a bit behind in evolution for the time being as the version 4.0 is still in beta phase. Still, Firefox users are much more passionate about their choice than any other browser users will ever be.
The Mozilla project has, for a long time, been offering cash bounties for users who uncover security bugs. The cash reward was introduced about six years ago but it looks like bug finders aren’t very interested in the money and turn the reward down very often.
According to Mozilla somewhere in between 10 and 15 percent of the serious security bugs reported have been offered free of charge. In August 2004 Mozilla put a $500 reward for security bugs. Ever since then more than 80 people uncovered as many as 120 bugs. Since then, Mozilla has increased the reward price to a maximum of $3000 for critical security bugs. “A lot of people would say, ‘Don’t worry about it. Donate it to the EFF [Electronic Frontier Foundation] or just send me a T-shirt,’” said Jonathan Nightingale, the director of Firefox development, in a recent interview.
Noticing how this reward system works quite well for the Mozilla project, Google has also announced that it would pay up to $3000 for reports of security bugs in its various products. Both Mozilla and Google are now actually paying people who contribute to bug reporting, whereas Microsoft, who has the habit of charging it’s users for, well, everything, has so far refused to offer such rewards.
The creator of Firefox also explains that, while in the US $3000 might not seem like such a large sum of money, in other countries it actually counts.
“In North America, $3,000 is not nothing,” Nightingale said. “But in a lot of the world, $3,000 is a big deal, and our contributions come from lots of places.” Mozilla doesn’t pay for most bugs that get reported. Its reward system is mostly available for security flaws.
But no one seems to be complaining about this, and as mentioned before, some people even turn down the reward after contributing with a bug report. Aside from being fair, the money reward serves an alternative purpose. Bugs can cost a lot of money on the black market where criminals can’t wait to get their hands on any vulnerability that would allow them to spread malware on user’s computers. By offering a reward for the report of these bugs Mozilla has a fair chance that the user discovering such a bug comes to them instead of going to the black market. Other software companies have noticed how helpful such a system can be and are now also considering implementing a bug reporting program.
