Bug bounty programs have been around in various forms for more than 15 years now, and many of the larger software companies, including Mozilla and Google, have established rewards for people who report bugs. But, aside from the amount of money that’s paid out when bugs are fixed, there hasn’t been much raw data available about the the way the programs operate. Now, Mozilla has released some numbers on its program that show how effective it has been.
Mozilla actually has two bug bounty programs: one for its Firefox browser and the other for a specific subset of its Web properties. The company started its Web bounty program in December 2010 and offered rewards of up to $3,000 for certain kinds of vulnerabilities reported in those sites. The month before the program was announced, the company had received three bug reports for the Web sites. In December, that number jumped to 87 bug reports. Turns out that people like money.
But that huge increase in reports proved to be by far the highest number that Mozilla would see in the following months. In January 2011, the number of reports fell to 42 and it continued to decrease from there to just seven in February, according to a talk given by Michael Coates of Mozilla at the OWASP AppSec USA conference last week. The number of bug reports settled into the mid-teens over the next few months, but dipped down to just three again for this month to-date.
As one might expect, 60 percent of the bugs reported to Mozilla since the program started are cross-site scripting flaws, with another 10 percent being cross-site request forgery. Interestingly, 11 percent of people who submit bugs have accounted for 56 percent of all of the bugs that qualified for a reward, and only 24 people total have been paid a reward since the program started. Of the 175 bugs submitted to date, only 64 percent of them have actually qualified for the reward program, according to the notes from Coates’s talk.
So far, Mozilla has paid out $104,000 in rewards through the Web bounty program, and nearly 75 percent of that money has gone to high-priority bugs that qualified for a $3,000 reward.