14 DAY TRIAL // One of the arbitrary code execution vulnerabilities patched in Firefox earlier this week, was discovered by a 12-year-old bug hunter, who earned $3,000 from Mozilla for the find.
The flaw is identified as CVE-2010-3179 and is described as a buffer overflow and memory corruption issue, which can occur using the document.write() function.
The bug can be exploited by tricking potential victims into visiting a specially crafted Web page that crashes their browsers and potentially allows the attacker to execute malicious code on their computers.
"Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data," Mozilla explains.
However, what the advisory doesn't say is that Alexander Miller is a 12-year-old seventh-grader, who lives Willow Glen, San Jose, California.
Apparently, Miller is no stranger to vulnerability research. He knows which and how much companies pay for bugs and has been trying to find one in Firefox ever since Mozilla revamped its reward program earlier this year.
Back in July, the foundation announced that it has increased the reward for critical and high risk flaws discovered in Firefox, Thunderbird and related services from $500 to $3,000.
"A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," the foundation said at the time.
According to the San Jose Mercury News, Alex Miller spent an average of 90 minutes per day for around 10 days in order to find the vulnerability.
He also had a previous attempt, but the bug he found at the time was not severe enough to qualify for the reward.
Miller declared himself extremely happy and noted that his friends didn't believe him until he showed them the check from Mozilla.
He plans to spend some of the money buying a new computer and Christmas gifts for his family and he already made a donation to an animal rescue organization.
When asked if finding such vulnerabilities is easy, Brandon Sterne, Mozilla's security program manager, told Mercury News that "Absolutely not. The space of people that are contributing in this area is pretty small. This is a very niche technical area."
