Mozilla is making its Firefox browser SSL verification stronger, and asking for help in making sure it works. Mozilla will pay $10,000 for critical vulnerabilities found in its new code. Mozilla will reward identifying bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected or can lead to exploitable memory corruption.
Mozilla is more concerned about a false positive than a false negative. Their reasoning is that it is much worse for the browser to accept an invalid certificate than reject an otherwise valid one.
Mozilla announced this week that its Firefox browser will include enhanced SSL certificate verification in its released planned for July. The changes will more strictly enforce the requirements for the issue of Trusted Certificates set by the Certification Authority/Browser Forum (CAB Forum), the industry standards group founded by Comodo CEO Melih Abdulhayoglu.
Included in the Firefox changes intended to prevent the misuse of subordinate CA (sub-CA) or intermediate certificates.