Mozilla Increases Security Bug Bounty To $3000


There’s been a number of bounty programs in the past year or so with Mozilla being one of the forerunners with their Mozilla Security Bug Bounty Program.

There are others like Google offering rewards for bugs in Chrome, and other specific high profile bounties like when Microsoft Offered $250K Bounty for Conficker Author.

Mozilla on Thursday boosted bug bounty payments six-fold by increasing the standard cash award to $3,000.

The new bounty for vulnerabilities in Firefox, Firefox Mobile and Thunderbird is also six times the normal payment by Google for flaws in its Chrome browser, and more than double the maximum $1,337 that Google pays for the most severe bugs. Mozilla and Google are the only browser makers that pay security researchers for reporting vulnerabilities in their products.

“A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,” said Lucas Adamski, director of security engineering. Mozilla kicked off its bounty program in August 2004 .

Only bugs that Mozilla ranks “crucial” or “high” — its top two ratings — are eligible for payment. In Mozilla’s hierarchy, critical vulnerabilities are those that allow remote code execution; in other words, ones that when exploited give the attacker full control of the machine. High vulnerabilities are those that expose “high-value” personal information, such as usernames, passwords and credit card numbers. Denial-of-service flaws are not eligible for a bounty, Mozilla said.

It’s a big increase too going from $500 all the way to $3000 which is more than double what Google offers for the most critical & clever bugs ($1337). You could earn a decent living if you could find one Mozilla bug a month, especially if you already have a stable monthly salary.

I doubt anyone would be able to find so many bugs, and even if they did it’s still way below the market rate for a real, remotely exploitable 0-day exploit.

I still think it’s a good initiative though and they’ve raised the bounty to make it a more viable option for security researchers to submit vulnerabilities directly to them.


Google launched its own cash-for-flaws program in January 2010, paying $500 for most bugs. Some vulnerabilities, however, earn their discoverer $1,000, or even $1,337, the latter given only to bugs that Chrome’s team judge’s “particularly severe or particularly clever.” The last time Google paid bounties was July 2, when it handed out $2,500 to a pair of researchers for reporting four vulnerabilities.

Adamski announced several other changes to Mozilla’s bounty program on the Mozilla security blog Thursday. Bugs in the Mozilla Suite, which the Mozilla Foundation dropped in 2005 — will no longer be eligible for bounties, said Adamski. But vulnerabilities in Firefox Mobile, Mozilla’s mobile browser, as well as any Mozilla services that Firefox or Thunderbird rely on for safe operation, are eligible.

Mozilla also added new language to its reward policy that gives it some new flexibility. “Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla’s end users,” the revised guidelines now state.

They do say in the statement that if you were paid to find the flaw (e.g. by your company as a security researcher) they would prefer if you didn’t apply for the bounty so they can award the money to people working independently.

So if any of you guys find any interesting flaws in Mozilla products, $3000 might be waiting for you!

Source: Network World

Posted in: Exploits/Vulnerabilities, Secure Coding, Web Hacking

, , , , , ,


Latest Posts:


truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.


Comments are closed.