Tor’s Bug Smash Fund: Help Tor smash all the bugs!
Say hello to our Bug Smash Fund.
When you are building software, your work is not always about adding new features; often, it's about fixing bugs. We know that our community understands it’s very important to fix bugs we encounter in our software—especially bugs that create security problems. But it can be hard to raise money for this type of work, since maintenance is not as exciting as a cool new feature. That’s why we decided to create our Bug Smash Fund.
The goal of the Bug Smash Fund is to increase the Tor Project’s reserve of funds that allow us to complete maintenance work and smash the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.
When we say maintenance and bugs, we are talking about work that is critical—and that we must pay for. This work includes responding quickly to security bugs, improving test coverage, and keeping up with Mozilla’s ESRs. An entire ecosystem relies on us doing so.
Every donation Tor receives during the month of August will count towards this fund. You can help us be prepared for what bugs may come, and in turn, we can better help keep millions of people around the world safe online and an entire ecosystem of tools healthy.
Support Rapid Response & Emergency Releases
Security bugs happen. We can’t predict when they will happen, but it is inevitable that issues will arise. Our top priority is to smash these bugs as quickly as possible when they are discovered and respond with emergency releases. Sometimes this means diverting our attention from grant-funded projects, and we must use unrestricted funds to pay for this developer time.
Here are some examples of what an emergency release looks like, why these issues happen, and what we’ve done in the past to address them:
- Emergency security update to Tor Browser to handle a mistake in Mozilla’s signing infrastructure. (‘NoScript Temporarily Disabled in Tor Browser,’ 2019)
- Emergency release of Tor Browser, fixing an IP address leak issue caused by a bug in Firefox’s handling of file:// URLs. (‘Tor Browser 7.0.9 is released,’ 2017)
Your donation to the Bug Smash Fund will go in part towards rapid responses to security issues like these.
Support Keeping up with Firefox ESRs
Because Tor Browser is built on top of Mozilla Firefox, when new ESRs are released, the Tor Browser team must evaluate changes to Firefox, weigh their privacy and anonymity implications, and modify or disable features that may compromise our users.
You can get a feeling of how this work is welcomed by our community from the reactions on social media and in the news when we adopted the Firefox Quantum ESR.
We've got BIG NEWS. We gave Tor Browser a UX overhaul.
Tor Browser 8.0 has a new user onboarding experience, an updated landing page, additional language support, and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.https://t.co/fpCpSTXT2L pic.twitter.com/xbj9lKTApP
— The Tor Project (@torproject) September 5, 2018
— Giorgio Maone (@ma1) September 6, 2018
If you really don't want to be tracked on the net, the new @torproject browser is out. Based on Firefox Quantum interface; new intro for new users; easier bridge mechanism for using it where it's blocked; 9 new languages supported. https://t.co/wzaFLSfjk0
— Stephen Shankland (@stshank) September 5, 2018
Keeping up with ESRs means that Tor Browser users get the user experience improvements of Firefox, and that the Tor team can upstream privacy improvements to Firefox. This work is a regular part of maintaining Tor Browser—and it must happen regularly.
Your donation to the Bug Smash Fund will go in part towards keeping Tor Browser in line with current ESRs.
From August 1 through August 31, any donation that comes to the Tor Project will go towards the Bug Smash Fund and be earmarked for these bugs and maintenance projects.
Want to keep up with the work we’re doing with this fund? There are three ways: (1) Follow the “BugSmashFund” trac ticket tag, (2) watch this blog for updates about the progress of these tickets, and (3) make a donation and opt in for our newsletter to get updates directly to your inbox.
Want to ask a question or learn more about supporting the Tor Project? You can email us at firstname.lastname@example.org.
Thanks to fontvir.us for the font in our images.
The bug smash fund sounds like a great idea - well done!
One comment though:
"Our top priority is to smash these bugs as quickly as possible when they are discovered and respond with emergency releases."
In an ideal world the Tor Project would also have resources to pro-actively seek out bugs, not just wait for them to surface.