12-yr Old Finds Mozilla Security Flaw

I remember in the late 1990s when people made fun of the Microsoft certification program because 12-yr olds were passing the MCSE test. That was a measure of what kids saw as the future career path and they were mostly right. Today the measure of success has shifted to security bounty programs, as reported by the San Jose Mercury News. I see attempts made to portray a 12-yr old bug hunter as brilliant:

“Mozilla depends on contributors like these for our very, sort of, survival. Mozilla is a community mostly of volunteers. We really encourage people to get involved in the community. You don’t have to be a brilliant 12-year-old to do that,” [Brandon Sterne, security program manager at Mozilla] says.

[…]

Alex is virtually self-taught, says his mother, Elissa Miller. Reading his parents’ very technical books is not an assignment, it’s something he just does; and he understands them. He has a “gift for the technical,” Elissa says.

The story mentions that it took only 900 minutes of testing (15 hours) for Alex to find the bug he reported. He received $3000 so that’s $200/hour by his own estimate. This probably does not account for all the times he sent in bugs before he found the right one and the time taken by Mozilla to tell him why and how those did not qualify. Even at four times slower it is still a good rate for kids. The bounty program is, in short, offering very well-paid training to find security bugs…which can be found by virtually anyone. Rather than call this an act of brilliance (as some also tried with the MCSE tests) we could call this further proof that the barrier to finding security flaws is actually quite low.

Companies that want to raise the barrier should invest in security management up to the executive level who will not let software go to market without passing a rigorous test. Apple just released a program to the web that did not prompt for the old password before allowing a new one to be created. This unbelievable mistake was said by some to be a result of “beta” status. Let’s get real. Apple security just played its hand — if you are watching this game you can now confidently say they lack the desire or capability to stop serious security bugs from going to market. They can’t even find the little ones.

Compare with the HMS Astute that just ran aground. Even the most sophisticated systems have errors, but a day after the incident the Royal Navy started talking court martial and criminal proceedings for the Captain of those errors. Until that level of seriousness is given to software, you can very well expect everyone to be capable of finding and turning in security flaws. It is not how brilliant attackers are but also the liability of defenders that gives a measure of security maturity and management.

One thought on “12-yr Old Finds Mozilla Security Flaw”

  1. Well, it was always easy to produce software with a baseline of security and even immunity to large classes of attacks. Over the past few decades, academics and professionals have come up with so many solutions I can’t even mentally picture them all. I think we haven’t been focusing enough, though, on the most important area: selling security ROI to management. I think academics and the security community needs to put a massive effort into developing strategies for getting management on board similar to the efforts they put into technical aspects. What do you think, Davi?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.