Firefox developer builds are now using the library, and researchers are invited to quest for as much as $10,000 for critical security flaws found and reported in the new code before the end of June.
“As we’ve all been painfully reminded recently (Heartbleed, #gotofail), correct code in TLS libraries is crucial in today’s internet,” wrote Mozilla security lead Daniel Veditz, in a blog. “We want to make sure this code is rock solid before it ships to millions of Firefox users.”
To qualify for the special bounty the bug and reporter must first meet the guidelines of the company’s normal security bug bounty program. And, the vulnerability must: be in, or caused by, code in security/pkix or security/certverifier as used in Firefox; be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”); and be reported in enough detail, including test cases, certificates, or even a running proof-of-concept server, so that Mozilla can reproduce the problem.
“We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption,” said Veditz. “Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be.”
Valid security bugs that don’t meet the specific parameters of this special program remain eligible for the usual $3,000 security bug bounty.