Mozilla Expands Vulnerability Bounty Program

Mozilla Company announced about expansion initiatives for the payment of monetary rewards for identifying security problems in infrastructure elements related to the development of Firefox. The size of bonuses for identifying vulnerabilities on Mozilla websites and services has been doubled, and the bonus for identifying vulnerabilities that can lead to code execution on key sites, brought to 15 thousand dollars.

For identifying an authentication bypass method and SQL substitution, you can get a reward of 6 thousand dollars, and for cross-site scripting and CSRF - 5 thousand dollars. Key sites include firefox.com/org, mozilla.com/org, addons.mozilla.org, getfirefox.com, bugzilla.mozilla.org, search.services.mozilla.com, archive.mozilla.org, download.mozilla. org
and several dozen more sites related to add-ons, updates, downloads, synchronization and statistics.

For base sites the premium amount is approximately two times less. Basic sites include observatory.mozilla.org, getpocket.com, premium.firefox.com, hg.mozilla.org and some internal services for developers.

Compared to the previously valid conditions, the following have been added to the number of key sites and services:

• Autograph (digital signature service),
• Lando (service for automatic placement of code from
  Phabricator in repositories),

• Pharmacist (a code management tool used to review changes),
• Taskcluster (a framework for performing tasks that supports a continuous integration system and release generation processes).

Of the new base sites noted:

• Firefox Monitor (monitor.firefox.com),
• Localization platform (l10n.mozilla.org),
• Service Payment Subscription (strap above the Stripe payment system),
• Firefox Private Network (addition with proxy to protect traffic),
• Ship It (system for broadcasting requests for generating releases),
• Speak To Me (the speech recognition system underlying the Speech Recognition API).

Additionally you can Mark intention to activate in the release of Firefox 7 scheduled for January 72 methods of struggle with annoying requests to provide the site with additional powers. Many sites abuse the browser's ability to request permissions, mainly by periodically asking for push notifications. Telemetry analysis showed that 97% of such requests are rejected, including in 19% of cases the user immediately closes the page without clicking the agree or reject button. In Firefox 72, such requests will be blocked unless user interaction with the page (mouse click or key press) is recorded.

Among the upcoming changes in Firefox 72, the following also stands out: use current page background colors for scrollbar and Deleting possibilities public key bindings (PKP, Public Key Pinning), which allows, using the Public-Key-Pins HTTP header, to explicitly determine the certificates of which certification authorities can be used for a given site. The reason cited is the low demand for this function, the risk of compatibility problems (PKP support terminated in Chrome) and the ability to block your own site due to binding the wrong keys or loss of keys (for example, accidental deletion or compromise as a result of hacking).

Source: opennet.ru