Meta bug to track security bug bounty nominations. Once decided they should be moved to either the Awarded or Rejected tracking bugs.

Initial bug bounty awards: Marcel Boesch, for bug 249004 Gaël Delalleau, two for bug 245066 and bug 255067 Mats Palmgren and Gaël Delalleau split one for bug 250900 (trunk) and bug 256316 (1.7/aviary branch) Georgi Guninski, two for bug 257314 and bug 258005

Bug 258173 is not a remote exploit, a bounty will not be awarded.

bug 259403 requires Java, does not qualify for bug bounty.

Michael Krax was awarded five bounties: firespoofing (bug 260560), firedragging (bug 279945), firetabbing (bug 280056), fireflashing (bug 280664) and firescrolling2 (bug 288164).

bug 268820 is a duplicate of bug 265668

Catching up on Firefox 1.0.2 and 1.0.3 era Bounties awarded.

Tom Ferris awarded a bounty for bug 307259

heatsync asked me about https://bugzilla.mozilla.org/show_bug.cgi?id=315004

Dan, if bug 340198 qualifies for a bounty, then so do bug 240261 and bug 308244 IMO. They're all duplicates of one another, unrecongized as such (until now) because they are all marked security sensitive.

This is the "nominated" list, doesn't mean we're awarding anything yet. But in fact 340198 isn't a pure duplicate, it combines the behavior described in those older spoofing bugs with the software update system to describe a different blended attack. Also bug 340198 could be solved in ways that don't require solving those other bugs, such as by shipping with the "one true cert" for update.

This bug isn't being used anymore