As part of a special security bug bounty program, Mozilla Corporation is offering $10,000 to anyone who reports a qualifying security vulnerability in the new cryptography library it plans to deploy in a yet-to-be-released version of Firefox.
Today, Mozilla’s security engineering team announced the company had developed a new certificate verification library for its products, known as mozilla::pkix. Mozilla said the new code is more robust and easily maintainable than its existing one. The reason for this special bug bounty program is that the company would like to ensure that there are no serious security flaws in their code before the new library’s projected release along with Firefox version 31 on or sometime after July 1.
The move is a clear reaction to the recent emergence of troubling cryptography vulnerabilities – like the OpenSSL Heartbleed bug and Apple’s Goto Fail – that exposed large swaths of the Internet to exploits that are difficult to detect and mitigate.
Mozilla believes its new certificate verification library will be an upgrade over existing ones “because certificate path building attempts all potential trust chains for a certificate before giving up (acknowledging the fact that the certificate space is a cyclic directed graph and not a forest).” Furthermore, the security team says the new implementation will be easier to maintain because of its slimmed down code base (having only 4,167 lines of C++ code compared to the previous 81,865 lines of code that was auto-translated from Java to C).
“We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption,” writes Daniel Veditz, security lead at Mozilla Corporation. “Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed [Online Certificate Status Protocol] responses would be.”
In order to qualify for the payout, researchers must not only adhere to the rules of Mozilla’s existing bug bounty program, but also meet the following requirements as well:
- the bug has to be present in or caused by code in security/pkix or security/certverifier as used in Firefox;
- it must be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”);
- researchers will need to report their bugs in enough detail, including test cases, certificates, or even a running proof-of-concept server, that Mozilla can reproduce the problem;
- bugs will also have to be reported by 11:59 p.m. Pacific time on June 30 (ahead of the Firefox 31 release).
Valid security bugs that don’t meet the specific parameters of this special program, the company says, will remain eligible for Mozilla’s typical $3,000 bug bounties.