Mozilla Increases Security Bug Bounty To $3000

The New Acunetix V12 Engine


There’s been a number of bounty programs in the past year or so with Mozilla being one of the forerunners with their Mozilla Security Bug Bounty Program.

There are others like Google offering rewards for bugs in Chrome, and other specific high profile bounties like when Microsoft Offered $250K Bounty for Conficker Author.

Mozilla on Thursday boosted bug bounty payments six-fold by increasing the standard cash award to $3,000.

The new bounty for vulnerabilities in Firefox, Firefox Mobile and Thunderbird is also six times the normal payment by Google for flaws in its Chrome browser, and more than double the maximum $1,337 that Google pays for the most severe bugs. Mozilla and Google are the only browser makers that pay security researchers for reporting vulnerabilities in their products.

“A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,” said Lucas Adamski, director of security engineering. Mozilla kicked off its bounty program in August 2004 .

Only bugs that Mozilla ranks “crucial” or “high” — its top two ratings — are eligible for payment. In Mozilla’s hierarchy, critical vulnerabilities are those that allow remote code execution; in other words, ones that when exploited give the attacker full control of the machine. High vulnerabilities are those that expose “high-value” personal information, such as usernames, passwords and credit card numbers. Denial-of-service flaws are not eligible for a bounty, Mozilla said.

It’s a big increase too going from $500 all the way to $3000 which is more than double what Google offers for the most critical & clever bugs ($1337). You could earn a decent living if you could find one Mozilla bug a month, especially if you already have a stable monthly salary.

I doubt anyone would be able to find so many bugs, and even if they did it’s still way below the market rate for a real, remotely exploitable 0-day exploit.

I still think it’s a good initiative though and they’ve raised the bounty to make it a more viable option for security researchers to submit vulnerabilities directly to them.


Google launched its own cash-for-flaws program in January 2010, paying $500 for most bugs. Some vulnerabilities, however, earn their discoverer $1,000, or even $1,337, the latter given only to bugs that Chrome’s team judge’s “particularly severe or particularly clever.” The last time Google paid bounties was July 2, when it handed out $2,500 to a pair of researchers for reporting four vulnerabilities.

Adamski announced several other changes to Mozilla’s bounty program on the Mozilla security blog Thursday. Bugs in the Mozilla Suite, which the Mozilla Foundation dropped in 2005 — will no longer be eligible for bounties, said Adamski. But vulnerabilities in Firefox Mobile, Mozilla’s mobile browser, as well as any Mozilla services that Firefox or Thunderbird rely on for safe operation, are eligible.

Mozilla also added new language to its reward policy that gives it some new flexibility. “Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla’s end users,” the revised guidelines now state.

They do say in the statement that if you were paid to find the flaw (e.g. by your company as a security researcher) they would prefer if you didn’t apply for the bounty so they can award the money to people working independently.

So if any of you guys find any interesting flaws in Mozilla products, $3000 might be waiting for you!

Source: Network World

Posted in: Exploits/Vulnerabilities, Secure Coding, Web Hacking

, , , , , ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


Comments are closed.