Mozilla offers up $10K for bugs found in new certificate verification library
Mozilla is offering up $10,000 to users who find and report critical vulnerabilities in a new certificate verification library on pace to be included with Firefox 31, which is scheduled for release in July.
Bugs reported by the end of June 30 will qualify if discovered in code, or caused by code, in ‘security/pkix' or ‘security/certverifier,' as used by Firefox, according to a Thursday post, which adds that the bugs must be triggered through normal web browsing.
Mozilla is most interested in instances where certificate chains that should be rejected are instead accepted as valid, as well as flaws that lead to exploitable memory corruption, according to the post.
The new certificate verification library is currently being used in Firefox developer builds, known as “Nightly.”