Do you love Firefox, Linux, and the internet? Are you interested in earning money from the comfort of your own home? Are you OK with a special flavor of Firefox quietly gobbling up memory in a hunt for exploitable security bugs?
If so, Mozilla has a deal for you.
The open internet organization (and search licensing revenue addict) would like you to go about your usual browsing business with a special Firefox build designed to automatically report potential security flaws in the software back to the mothership.
If you do so, and the reported error turns out to be a legit exploitable vulnerability that Firefox engineers can fix, you'll be rewarded as if you'd submitted the errant code to Mozilla's bug bounty program.
That's right, kids. Your aimless online procrastination could be your ticket to riches through the ASan Nightly Project.
ASan stands for AddressSanitizer. It's a tool that detects bad memory access by C/C++ code that has been shoehorned into a browser. It focuses on identifying things like use-after-free(), heap buffer overflows, stack buffer overflows, and other kinds of accidental programming blunders that miscreants can attempt to exploit to hijack browsers and other software.
From within the ASan Nightly Firefox Build, the tool collects and reports ASan errors back to Mozilla. So, in other words, if you open up a webpage that has some funky or devious HTML or script code on it that triggers a software bug within the browser, and the bug is caught and sent to Mozilla and found to be a fixable security hole, you'll be – fingers crossed – rewarded for your find.
"If you are willing to browse the web using this new Firefox environment, you might be eligible to earn a bug bounty: We will treat the automated reporter submissions as if they were filed in Bugzilla," explained Christian Holler, a security engineer at Mozilla, in a blog post on Thursday.
All you have to do is download the special ASan Nightly Firefox Build and surf the web on a Linux machine with at least 16GB of RAM – we're warned that it will use more RAM than usual. (Mozilla says it's working on macOS and Windows builds.)
And here's the catch
Actually, there's a bit more: in order for Mozilla to know where to send the reward, bounty seekers need to type
about:config into the address bar of this special version of Firefox and set the
asanreporter.clientid to your email address.
Firefox hooks up with HaveIBeenPwned for account pwnage probeREAD MORE
The altruistically inclined can, of course, submit automated reports without identification or any expectation of reward, knowing that Mozilla operates in perpetual panhandling mode.
Mozilla's bug bounty rules apply: the flaw must have security implications – remote exploit, privilege escalation, or data leakage – and must not have been previously reported. The person reporting the bug cannot be involved in the creation or review of the code, and cannot be employed by the Mozilla Foundation or its subsidiaries.
Bug bounties offered by Mozilla start at $500 for moderate vulnerabilities, subject to the discretion of the Bug Bounty Committee. Critical vulnerabilities start at $3,000 and go up based on the quality of the bug report and the novelty of the vulnerability and exploit.
Astute observers of contractual minutia may have already surmised that automated bug reports are not the same thing as high quality bug reports. So, as Mozilla cautions, any ASan Nightly Project award is likely to be on the lower end of the spectrum.
Still, the possibility of a windfall for meandering about the web has some appeal. ®