Mozilla's New ASan Nightly Build Project Bug Bounty Program 2018

Mozilla's New ASan Nightly Build Project Bug Bounty Program 2018

A new solution of the Nightly Build was opened with a bug bounty program from Mozilla Corporation in the last days. With a special variant of the Nightly Builds of the Firefox browser, users can search for memory errors completely automatically. Mozilla even wants to distribute rewards for reports submitted in this way.

Like many other companies, Mozilla uses the compiler tool Address Sanitizer (Asan) to automatically search for special memory corruptions and unhandled problems in its Firefox browser. Christian Holler a mozilla employee writes in a news post that this is much more beneficial to the team, especially in the case of use after free bugs than with the crash reports usually found in bug reports. Therefore the team now offers a variant of firefox nightly, in which asan is activated and with which bug bounties can be collected.

Mozilla started this project to find bugs in the wild and then use the asan bug report to identify and fix the security problems. In some special cases the mozilla team refered that some issues would although it may not be reproducible. Especially for this purpose the new bug bounty program was opened and is now additionally extended with a browser addon.

So far the necessary ASan Nightly builds are only available for Linux, but the team is actively working on the support for Windows and MacOS, which will follow. Holler also recommends using at least 16 GByte RAM, since Asan stores a lot of free memory itself in order to detect use after free gaps at all. The browser should then be restarted once or twice a day to free up memory.

Experimental testers who decide to use Asan Nightly builds can now participate in Mozilla's bug bounty program. The automated Asan reports transferred via the addon are handled in exactly the same way as an individual report by a contributor in Mozilla's bug tracker. So if the report submitted is a vulnerability that the team can fix, there is a little financial reward for it. Users only have to observe the usual rules of the bug bounty program and enter their e-mail address in the browser using a setting option.

The latest build for linux can be downloaded here for free.

References:
https://developer.mozilla.org/en-US/docs/Mozilla/Testing/ASan_Nightly_Project
https://blog.mozilla.org/security/2018/07/19/introducing-the-asan-nightly-project/