Friday, October 22, 2010

Mozilla Pays 12-year-old Boy for Firefox Security Bug

Via (San Jose, CA) -

It's safe to say a typical Willow Glen 12-year-old doesn't earn $3,000 for a couple of weeks' worth of work. Then again, Alex Miller is no typical 12-year-old.

Alex is a bug hunter, but the bugs he's uncovering are unlikely to end up in any entomological reference book. Instead, the bug Alex found was a valid critical security flaw buried in the Firefox web browser. For his discovery, he was rewarded a bug bounty of $3,000 by Mozilla, the parent company of Firefox.

Alex knows the value of bug bounties; he knows what other companies are offering, so when Mozilla upped its bug bounty from $500, he was motivated.


Alex is virtually self-taught, says his mother, Elissa Miller. Reading his parents' very technical books is not an assignment, it's something he just does; and he understands them. He has a "gift for the technical," Elissa says.

While some may contend that Alex spends too much time on the computer, Miller is quick to point out that he's not just playing games; what Alex is doing is learning.

"Clearly it's his passion," she says.

Alex has other interests, such as badminton and guitar. He's also learning Mandarin. And a smile breaks across his face as he recalls a quest to build a deadly robot in the Science Olympiad.

He can talk politics like a 40-year-old who's hooked on NPR news shows and enjoys a good debate. But there are reminders that he isn't yet old enough to vote.

"But you still have to do chores," Miller reminds him when he talks of his next debugging mission.

Until he produced a copy of the check from Mozilla, Alex says his friends didn't actually believe him when he told them about the money.


Spending the first $100 didn't take long; he made a donation to his neighbor's nonprofit organization, Unconditional Love Animal Rescue, which the Miller family also supports by fostering found kittens.

He very much wants a new computer, and since he says he's been pretty bad about it in the past, he plans to buy Christmas gifts for his family. The rest will stay put in the bank, where, if Alex gets his way, it will be joined by more bug bounty.


Here is the bug - MFSA 2010-65 (CVE-2010-3179)

Hat-tip to Charlie Miller and Dino A. Dai Zovi for spreading the story on Twitter.

1 comment:

  1. I just read the news somewhere else. I amazing that a 12-year old boy found the bug in firefox but at the same time Firefox's team should think about making their unsecured platform more secure.