Firefox 31 is on its way and Mozilla is preparing for the release of a new bug bounty program that seeks to reward security researchers that find flaws in the new certificate verification library.
The company is trying not to take any chances with the security of the new web browser version and will offer $10,000 (€7,225) for critical security flaws found before the end of June.
“As we’ve all been painfully reminded recently (Heartbleed, #gotofail) correct code in TLS libraries is crucial in today’s Internet and we want to make sure this code is rock solid before it ships to millions of Firefox users,” writes Daniel Veditz, Mozilla’s security chief.
He points out that the primary interest for Mozilla are the bugs that allow the construction of certificate chains that are accepted as valid when they should, in fact, be rejected. Bugs that could lead to exploitable memory corruption are also high up on the company’s interest list.
“Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be,” Veditz added.
Regular security bug bounty program rules still apply to this one as well. This means that the bug and the bug reporter must abide by the guidelines to qualify.
In order to qualify for the special bounty, the vulnerability must be in or caused by code in security/pkix or security/certverifier as used in Firefox. They must also be triggered through normal web programming, while the report must be done in enough detail that the folks over at Mozilla can reproduce the problem.
That means that security researchers must make sure to include testcases, certificates, or even a running proof of concept server. Everything must be submitted by 23:59 PT June 30, 2014. All bugs that don’t meet these specific parameters will remain eligible for the usual $3,000 (€2,167) bounty.
Heartbleed was exposed a few weeks ago as a bug affecting several versions of OpenSSL. While the vulnerability has only now been discovered, it has actually been affecting security for the past couple of years.
What’s worse is that attacks exploiting Heartbleed didn’t leave any traces behind, meaning that there’s no way of knowing whether hackers or anyone else has taken advantage of it and what data was stolen.
Services that have patched things up must issue other security certificates, and web browsers must know which sites are safe to visit and which are not. The ever-growing list of new certificates has slowed things down a bit for most browsers.
Mozilla is apparently looking to make sure that nothing slips through the cracks and that users can avoid visiting still affected sites.