新书推介:《语义网技术体系》
作者:瞿裕忠,胡伟,程龚
   XML论坛     W3CHINA.ORG讨论区     计算机科学论坛     SOAChina论坛     Blog     开放翻译计划     新浪微博  
 
  • 首页
  • 登录
  • 注册
  • 软件下载
  • 资料下载
  • 核心成员
  • 帮助
  •   Add to Google

    >> 最新的技术动态
    [返回] 计算机科学论坛休息区『 最新动态 & 业界新闻 』 → Mozilla hikes Firefox bug bounties to $3K 查看新帖用户列表

      发表一个新主题  发表一个新投票  回复主题  (订阅本版) 您是本帖的第 5955 个阅读者浏览上一篇主题  刷新本主题   树形显示贴子 浏览下一篇主题
     * 贴子主题: Mozilla hikes Firefox bug bounties to $3K 举报  打印  推荐  IE收藏夹 
       本主题类别:     
     卷积内核 帅哥哟,离线,有人找我吗?
      
      
      威望:8
      头衔:总统
      等级:博士二年级(版主)
      文章:3942
      积分:27590
      门派:XML.ORG.CN
      注册:2004/7/21

    姓名:(无权查看)
    城市:(无权查看)
    院校:(无权查看)
    给卷积内核发送一个短消息 把卷积内核加入好友 查看卷积内核的个人资料 搜索卷积内核在『 最新动态 & 业界新闻 』的所有贴子 访问卷积内核的主页 引用回复这个贴子 回复这个贴子 查看卷积内核的博客楼主
    发贴心情 Mozilla hikes Firefox bug bounties to $3K

    Mozilla on Thursday boosted bug bounty payments six-fold by increasing the standard cash award to $3,000.

    The new bounty for vulnerabilities in Firefox, Firefox Mobile and Thunderbird is also six times the normal payment by Google for flaws in its Chrome browser, and more than double the maximum $1,337 that Google pays for the most severe bugs.

    Mozilla and Google are the only browser makers that pay security researchers for reporting vulnerabilities in their products.

    "A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," said Lucas Adamski, director of security engineering. Mozilla kicked off its bounty program in August 2004.

    Only bugs that Mozilla ranks "crucial" or "high" -- its top two ratings -- are eligible for payment. In Mozilla's hierarchy, critical vulnerabilities are those that allow remote code execution; in other words, ones that when exploited give the attacker full control of the machine. High vulnerabilities are those that expose "high-value" personal information, such as usernames, passwords and credit card numbers. Denial-of-service flaws are not eligible for a bounty, Mozilla said.

    Google launched its own cash-for-flaws program in January 2010, paying $500 for most bugs. Some vulnerabilities, however, earn their discoverer $1,000, or even $1,337, the latter given only to bugs that Chrome's team judge's "particularly severe or particularly clever."

    The last time Google paid bounties was July 2, when it handed out $2,500 to a pair of researchers for reporting four vulnerabilities.

    Adamski announced several other changes to Mozilla's bounty program on the Mozilla security blog Thursday.

    Bugs in the Mozilla Suite, which the Mozilla Foundation dropped in 2005 -- will no longer be eligible for bounties, said Adamski. But vulnerabilities in Firefox Mobile, Mozilla's mobile browser, as well as any Mozilla services that Firefox or Thunderbird rely on for safe operation, are eligible.

    Mozilla also added new language to its reward policy that gives it some new flexibility.

    "Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla's end users," the revised guidelines now state.

    Adamski noted that change in his blog posting, but did not elaborate. Mozilla did not immediately reply to questions early Friday.

    Researchers may have questions for Mozilla about the new language, since the FAQ for the bounty program says that they don't have to wait for patches to be built and applied to, say, Firefox before they go public with their information


       收藏   分享  
    顶(0)
      




    ----------------------------------------------
    事业是国家的,荣誉是单位的,成绩是领导的,工资是老婆的,财产是孩子的,错误是自己的。

    点击查看用户来源及管理<br>发贴IP:*.*.*.* 2010/7/17 15:46:00
     
     GoogleAdSense
      
      
      等级:大一新生
      文章:1
      积分:50
      门派:无门无派
      院校:未填写
      注册:2007-01-01
    给Google AdSense发送一个短消息 把Google AdSense加入好友 查看Google AdSense的个人资料 搜索Google AdSense在『 最新动态 & 业界新闻 』的所有贴子 访问Google AdSense的主页 引用回复这个贴子 回复这个贴子 查看Google AdSense的博客广告
    2024/12/22 10:38:21

    本主题贴数1,分页: [1]

    管理选项修改tag | 锁定 | 解锁 | 提升 | 删除 | 移动 | 固顶 | 总固顶 | 奖励 | 惩罚 | 发布公告
    W3C Contributing Supporter! W 3 C h i n a ( since 2003 ) 旗 下 站 点
    苏ICP备05006046号《全国人大常委会关于维护互联网安全的决定》《计算机信息网络国际联网安全保护管理办法》
    62.500ms