12-year-old Alex Miller has received a $3000 check from Mozilla for finding a major bug in the Firefox browser. The San Jose Mercury News, reporting on Alex’s reward, noted that Mozilla recently upped its bounty from $500 to $3000 to make it more worthwhile for people to spend their time looking for bugs.
Alex apparently found something in an initial search, but it wasn’t the right sort of bug to quality for the cash reward. So he kept pursuing things, spending about 90 minutes a day for about 10 days until he spotted a memory flaw.
Many open source communities, not just Mozilla, use these sorts of rewards to get people to address key software bugs. As Brandon Sterne, security program manager at Mozilla, told the San Jose Mercury News, “The space of people that are contributing in this area is pretty small. This is a very niche technical area.” And while open source projects rely on their communities’ contributions, these projects help focus efforts on particular development needs.
Of course, it may not be money that necessarily motivates people to work on these open source projects, but bug bounties can be ways to encourage developers – even as young as 12 apparently – to innovate and to de-bug.
Have you had any experiences with bug bounties?