Mozilla gives $ 10 thousand for those who find security holes in the verification certificate in Firefox 31

Mozilla announced Thursday during the day for a new library in Gecko verification of certificates , the browser that is machines that is used in many applications company. At the same time , the company is offering a special reward of 10 thousand dollars for finding security holes to verify the certificates in Firefox 31 , which at the moment is in the Nightly test version , but that is scheduled to be issued on July 31 .

Mozilla says that is primarily interested in the holes that allow the construction of chains of certificates that are accepted as valid when it should be rejected , or anything in the code that leads to bad use of memory . In general , if Firefox is not able to verify otherwise valid certificates , Mozilla does not consider it a security hole , but a hole that has caused the browser to accept OCSP responses untrue .

Mozilla says that security researchers can qualify for this special award initially respecting its rules reward program for security holes . However , it has become even adding additional requirements :

- The holes should be at , or caused by the security code / pkix or security / certverifier as used in Firefox . - Use must be caused during normal web browsing ( for example " Visit the attackers HTTPS " ) . - The case must be disclosed in sufficient detail , including test cases , certificates , or even evidence that is being used around conceptualized server , so that Mozilla can reproduce the problem . - The report should be filled up on 30 June 2014 , 11:59 in the afternoon ( Pacific time zone ) .

If you find a security hole that does not meet all the above settings , you can send it in and send buzilla.mozilla.org ID of the hole in security@mozilla.org . Mozilla you can pay up to 3,000 dollars for a standard security hole .