The Rust Core team and Mozilla have announced your intention to create the Rust Foundation, an independent non-profit organization by the end of the year, to which the intellectual property associated with the Rust project will be transferred, including trademarks and domain names associated with Rust, Cargo, and crates.io.
The organization will also be responsible for organizing the financing of the project. Rust and Cargo are trademarks owned by Mozilla prior to the transfer to the new organization and are subject to fairly strict usage restrictions, which creates some difficulties with the distribution of packages in distributions.
En particular, terms of use Mozilla trademark they prohibit the retention of the project name in case of changes or patches.
Distributions can redistribute a package named Rust and Cargo only if it is compiled from the original sources; otherwise, prior written permission from the Rust Core team or a name change is required.
This feature interferes with the rapid independent removal of bugs and vulnerabilities in packages with Rust and Cargo without coordinating changes with upstream.
Recall that Rust was originally developed as a project from the Mozilla Research division, which in 2015 was transformed into a standalone project with independent management from Mozilla.
Although Rust has evolved autonomously since then, Mozilla has provided financial and legal support. These activities will now transfer to a new organization created specifically for Rust's curation.
This organization can be viewed as a neutral non-Mozilla site, making it easier to attract new companies to support Rust and increase the viability of the project.
New rewards program
Another ad what Mozilla released is that it is expanding its initiative to pay cash rewards for identifying security problems in Firefox.
In addition to the vulnerabilities themselves, the Bug Bounty program now too will cover methods to circumvent the mechanisms available in the browser that prevent exploits from working.
These mechanisms include a system for cleaning HTML fragments before being used in a privileged context, sharing memory for DOM nodes and Strings / ArrayBuffers, disavowing eval () in the system context and in the main process, enforcing strict CSP (Security Policy) restrictions. content) to the service pages "about: config", which prohibits the loading of pages other than "chrome: //", "resource: //" and "about:" in the main process, prohibits code execution External JavaScript in the main process, bypassing privileged sharing mechanisms (used to create the browser interface) and non-privileged JavaScript code.
A forgotten check for eval () in Web Worker threads is given as an example of an error that qualifies for the payment of a new reward.
If a vulnerability is identified and protection mechanisms are omitted against exploits, the investigator may receive an additional 50% of the base reward awarded for the identified vulnerability (for example, for a UXSS vulnerability that bypasses the HTML Sanitizer mechanism, it will be possible to receive $ 7,000 plus a premium of $ 3,500).
En particular, the expansion of the rewards program for independent researchers occurs in the context of the recent dismissal of 250 employees from Mozilla, which included the entire Threat Management Team responsible for detecting and analyzing incidents, as well as part of the security team.
In addition, a change in the rules to apply the program is reported reward for vulnerabilities identified in nightly builds.
It should be noted that these vulnerabilities are often discovered immediately during the process of automated internal checks and fuzzing tests.
These bug reports do not improve Firefox security or fuzzing testing mechanisms, so nightly builds will only be rewarded for vulnerabilities if the issue has been present in the main repository for more than 4 days and has not been identified by internal reviews and Mozilla employees.