Mozilla Security Bug Bounty Program Announced

    August 3, 2004

The Mozilla Foundation today announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project’s software.

Under the new program, users reporting critical security bugs – as judged by the Mozilla Foundation staff – will collect a $500 cash prize. The new initiative was launched with funding from leading Linux software developer Linspire, Inc., and renowned Internet entrepreneur Mark Shuttleworth.

Note: Please comment on this bounty program at the WebProWorld Security Watch forum.

“As Mozilla software builds momentum in the marketplace, I’m inspired by the Mozilla Foundation’s enduring commitment to transparency and responsiveness on security issues, and I am happy to support this program,” commented Mark Shuttleworth.

Identifying software security vulnerabilities requires constant vigilance, and preventing those issues from becoming problems necessitates a dedicated effort to provide quick and effective responses. The Mozilla project has developed a community of users and developers who are passionate about computer security and who continuously provide feedback on Mozilla software. The Mozilla Security Bug Bounty Program seeks to further encourage the community’s focus on security consciousness and responsiveness.

“This program reflects our commitment to protecting consumers from malicious actors,” commented Mitchell Baker, President of the Mozilla Foundation. “Recent events illustrate the need for this type of commitment. While no software is immune from security vulnerabilities, bugs in open source projects are often identified and fixed more quickly. The Security Bug Bounty Program will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers.”

Security experts agree that it is virtually impossible to produce software that is absolutely secure against all possible attacks. As a result, experts recommend that software combine a strong security design and good security practices to maximize the amount of protection available. The Mozilla Security Bug Bounty Program provides an additional mechanism for identifying potential vulnerabilities.

“Worry-free security on the Internet is long overdue and we’re committed to supporting the Mozilla Foundation’s efforts to give users peace of mind,” said Michael Robertson, Chief Executive Officer of Linspire, Inc. “We strongly urge the open source community to take advantage of this initiative to help identify and report any security problems for correction.”

Linspire, Inc., and Mark Shuttleworth have issued seed funding to support this initiative, to be supplemented by donations from Mozilla supporters. The Mozilla Foundation is inviting its users and supporters to contribute to this initiative by making donations to the bounty’s fund. Tax-deductible contributions can be made through The first $5,000 in community contributions will be matched dollar for dollar by Mark Shuttleworth.

Users who identify security bugs in Mozilla software are encouraged to go to, which links to information about which bugs are eligible and how to claim the bounty.