After admittedly letting its bug bounty rewards get a little stagnant, Mozilla on Tuesday announced it was ready to sweeten the pot for researchers contributing vulnerabilities to the program.
Raymond Forbes, an engineer at Mozilla, announced on the company’s website that payoffs were “dramatically” going up, and that variable payouts would be made based on severity, ease of exploit and quality of the report.
Forbes said Mozilla last adjusted its payouts—to $3,000—five years ago.
“We have dramatically increased the amount of money that a vulnerability is worth,” Forbes said. “On top of that, we took a look at how we decided how much we should pay out.”
Mozilla’s Bug Bounty Committee, Forbes said, readjusted how it decides what submissions are worth, and for the first time, decided it will pay out for some bugs that are rated moderate in severity; previous awards for bugs rated critical and high topped out at $3,000.
“The amount that is paid out will be determined by the committee, but the general range is $500 to $2,000,” Forbes said. “This doesn’t mean that all Moderate vulnerabilities will be awarded a bounty but some will.”
Mozilla said the minimum payout for a vulnerability rated high or critical will be $3,000, and the bug must be accompanied by a fuzzer report or crash dump. A high quality bug report of a vulnerability rated critical or high will pay out as much as $5,000; the report must include minimized test cases and clear stack traces, Mozilla said.
For the most severe bugs, Mozilla said it will reward researchers with at least $7,500 for a high quality bug with an exploitable critical vulnerability, such as a remote code execution bug; such a report must include exploit details.
For new vulnerabilities and exploits, a new form of exploitation, or an “exceptional” vulnerability, Mozilla said it will pay out $10,000 or more.
The higher rewards are restricted to demonstrations of new classes of attacks, for example, or security feature bypasses, Mozilla said.
“Research might also uncover extremely severe, complex, or interesting problem areas that were previously unreported or unknown issues,” Mozilla says in its guidelines. Some examples include use-after-free bugs that result in an ASLR bypass, or sandbox escapes.
Mozilla also announced that it will recognize its tops bug contributors through the establishment of the Firefox Security Bug Bounty Hall of Fame. The page lists top contributors dating back to 2010.
Mozilla is only one of numerous large technology companies and enterprises that have deployed bug bounty programs, either independently or through a platform provider such as Bugcrowd or HackerOne. Researchers have numerous options when it comes to reporting bugs, either to vendors, bounty providers, or disclosure programs such as the HP Zero Day Initiative. These programs either buy the bugs and report them to the affected vendor once customers have been afforded a fix; all of them coordinate disclosure between the researcher and the vendor in question.
While bounties aren’t necessarily a recent phenomenon, they do make economic sense, for vendors in particular. Two years ago, a study by the University of California at Berkeley examined Google and Mozilla’s bounty programs specifically and determined that despite paying out several million dollars between them, that total is far less than it would have cost to hire and train employees to discover the same number of vulnerabilities.