Mozilla Foundation announces first payments of Security Bug Bounty Program, further strengthens browser security

MOUNTAIN VIEW, Calif. – September 14, 2004 – One month after announcing its Security Bug Bounty Program, the Mozilla Foundation is showing the first positive results from this initiative to enlist the help from the open source developer community to make its browsers even more secure. The Mozilla Foundation today released updates to its Firefox and Mozilla 1.7 browsers and Thunderbird email client that include a number of security enhancements and address several potential security vulnerabilities, taking a proactive leadership role in protecting Internet users from malicious attacks.

The Mozilla project announced the first payments awarded as part of its Security Bug Bounty Program to Marcel Boesch, Gael Delalleau, Georgi Guninski, and Mats Palmgren, the first researchers and security experts to find and report qualifying vulnerabilities. After learning about the Security Bug Bounty Program, Mr. Delalleau, a security expert for Zencom Secure Solutions, inspected the Mozilla source code for security vulnerabilities, eventually finding a potential problem in Mozilla’s email component. Commented Mr. Delalleau: “I found that the overall quality of the code is quite good. I audited other parts of Mozilla’s tree without finding anything, before focusing on the POP3 code.” For each critical security issue identified, the Mozilla Foundation paid out a $500 bounty. One of the award winners, Mr. Palmgren, has generously donated his award back to the Foundation to support future bounty payments.

The initial response to the Security Bug Bounty Program confirms that the transparency of Mozilla’s open source model makes applications such as Firefox more secure. The open source community is able to expose potential security vulnerabilities and quickly fix them, before they are exploited by malicious hackers.

More than 400 community members have contributed over $10,000 in donations to the Security Bug Bounty Program since it was announced on August 2, supplementing start-up funding by Mark Shuttleworth and Linspire.

The Mozilla Foundation is inviting researchers and security experts to audit its software for security vulnerabilities on an ongoing basis, and is encouraging its users to continue to make donations to support this important effort. More information about the Security Bug Bounty Program is available at www.mozilla.org/security/.