Theungiyar Rust Core da Mozilla sun sanar nufin ku don ƙirƙirar Rust Foundation, ƙungiya ce mai zaman kanta mai zaman kanta zuwa karshen shekara, zuwa wanne za a canza dukiyar ilimin da ke hade da aikin Tsatsa, gami da alamun kasuwanci da sunayen yanki masu alaƙa da Rust, Cargo, da crates.io.
Kungiyar Hakanan zai kasance da alhakin tsara kuɗin aikin. Rust da Cargo alamun kasuwanci ne na mallaka na Mozilla kafin canja wuri zuwa sabuwar ƙungiyar kuma suna ƙarƙashin takunkumin amfani mai tsauri, wanda ke haifar da wasu matsaloli game da rarraba fakitoci a cikin rarrabawa.
Musamman sharuɗɗan amfani Alamar kasuwanci ta Mozilla hana riƙe sunan aikin idan akwai canje-canje ko faci.
Rarrabawa na iya sake rarraba wani kunshin mai suna Rust da Cargo kawai idan an tattara shi daga asalin asali; in ba haka ba, kafin rubutaccen izini daga ƙungiyar Rust Core ko ana buƙatar canjin suna.
Wannan fasalin yana tsoma baki tare da saurin cire kwari da yanayin rauni a cikin fakiti tare da Rust da Cargo ba tare da daidaita canje-canje tare da hanyar zuwa gaba ba.
Ka tuna da hakan An haɓaka tsatsa a matsayin asali daga sashen bincike na Mozilla, wanda a cikin 2015 aka canza shi zuwa aikin tsayawa kai tsaye tare da gudanarwa mai zaman kanta daga Mozilla.
Kodayake Tsatsa ta sami ci gaba kai tsaye tun daga wannan lokacin, Mozilla ta ba da tallafin kuɗi da na shari'a. Waɗannan ayyukan yanzu zasu canza zuwa sabon ƙungiyar da aka kirkira musamman don maganin Tsatsa.
Ana iya duban wannan ƙungiyar azaman rukunin yanar gizo ba na Mozilla ba, yana mai sauƙaƙe jawo hankalin sababbin kamfanoni don tallafawa Tsatsa da haɓaka ƙimar aikin.
Sabon shirin lada
Wani talla abin da Mozilla ta saki shi ne cewa tana fadada yunƙurin ta don biyan lada na tsabar kuɗi don gano matsalolin tsaro a Firefox.
Baya ga yanayin rauni, shirin Bug Bounty yanzu ma zai rufe hanyoyin don tsallake hanyoyin akwai a cikin burauzar da ke hana amfani daga aiki.
Wadannan hanyoyin sun hada da tsarin tsabtace gutsutsuren HTML kafin a yi amfani da shi a cikin mahimmin yanayi, raba ƙwaƙwalwa don nunin DOM da Kirtani / ArrayBuffers, kashe eval () a cikin tsarin tsarin kuma a cikin babban tsari, yi amfani da ƙuntatawa na CSP (Manufofin Tsaro) ƙuntatawa abun ciki) zuwa shafukan sabis "game da: jituwa", wanda ya hana loda shafuka banda "chrome: //", "hanya: //" da "game da:" a cikin babban tsari, ya hana aiwatar da lambar waje Javascript ta waje a cikin babban aikin, ta hanyar wucewa keɓaɓɓun hanyoyin rarraba abubuwa (waɗanda aka yi amfani da su don ƙirƙirar mashigar burauzar) da lambar JavaScript mara gata.
Binciken da aka manta na eval () a cikin zaren Ma'aikatan Yanar gizo an ba da misalin kuskuren da ya cancanci biyan sabon lada.
Idan aka gano yanayin rauni kuma an tsallake hanyoyin kariya game da amfani, mai binciken na iya karɓar ƙarin 50% na asalin lada an bayar da shi ne saboda larurar da aka gano (alal misali, ga raunin UXSS wanda ya keɓance tsarin Sanitizer na HTML, zai yiwu a karɓi $ 7,000 tare da ƙimar $ 3,500).
Musamman fadada shirin lada don masu bincike masu zaman kansu yana faruwa a cikin batun sallamar ma'aikata 250 kwanan nan daga Mozilla, waɗanda suka haɗa da duka Managementungiyar Gudanarwar Barazanar da ke da alhakin ganowa da bincika abubuwan da suka faru, da kuma wani ɓangare na ƙungiyar tsaro.
Har ila yau, an ruwaito canji a cikin dokokin don amfani da shirin lada don raunin da aka gano a cikin ginin dare.
Ya kamata a lura cewa ana samun waɗannan raunin ne kai tsaye yayin aiwatar da bincike na ciki na atomatik da gwajin fuzzing.
Waɗannan rahotannin ɓarnar ba su inganta tsaro ko Firefox ba, don haka ginin dare zai sami lada ne kawai saboda batun ya kasance a cikin babban wurin ajiyar sama da kwanaki 4 kuma ba a gano shi ta hanyar dubawa na ciki da kuma ma'aikatan Mozilla ba.