Mozilla expands its bug bounty program

Back in 2004, the Mozilla Foundation instituted a bug bounty program that rewarded users who reported critical security vulnerabilities on the Foundation’s software with $500 per bug. Six years later, the amount received for the reported bugs can reach $3,000 per bug.

Not even five months later, Mozilla has decided to up the ante once again, announcing that the bounty program now includes web application vulnerabilities on the following sites:

  • bugzilla.mozilla.org
  • *.services.mozilla.com
  • getpersonas.com
  • aus*.mozilla.org
  • www.mozilla.com/org
  • www.firefox.com
  • www.getfirefox.com
  • addons.mozilla.org
  • services.addons.mozilla.org
  • versioncheck.addons.mozilla.org
  • pfs.mozilla.org
  • download.mozilla.org.

The rewards range from $500 dollars for high severity flaws such as reflected XSS and TLS failure, to $3000 for extraordinary or critical vulnerabilities such as stored XSS, CSRF, code injection, and authentication and session management flaws which lead to account compromise.

There are only two things that the Mozilla Foundation asks of the people who plan to search for the vulnerabilities: that they don’t use automatic tools against their web services so that their availability is not compromised, and that they keep the details of the found bugs to themselves – after reporting it to Mozilla, of course – for a “reasonable amount of time” that will allow them to patch the hole before the flaw is made public.

More about

Don't miss