Mozilla Bug Bounty Program Doubles Payouts, Adds Firefox Monitor


In scope RCE Mozilla bug bounty payouts have also tripled to reach $15,000.

Mozilla is bumping up its bug bounty payouts and has added new websites and services – including the recently deployed Firefox Monitor– to its bug bounty program in hopes of attracting more researchers to sniff out vulnerabilities.

The browser-maker is doubling bug bounty payouts for most of its in-scope sites and services, as well as tripling payouts for the highest bug classification in its program, remote code execution vulnerabilities. Researchers can now bring in $15,000 for RCE flaws on “critical websites” (sites and services considered critical to Mozilla operations, which pay out at the highest bounty rate)  and $5,000 for “core websites” (which pay out bounties, but at a reduced rate).

“Mozilla was one of the first companies to establish a bug bounty program and we continually adjust it so that it stays as relevant now as it always has been,” said Simon Bennetts with Mozilla in a Tuesday announcement. “To celebrate the 15 years of the 1.0 release of Firefox, we are making significant enhancements to the web bug bounty program.”

In addition, Mozilla announced that over the past six months, it has added new in-scope “critical websites” and services for its program. This includes:

  • Autograph – a cryptographic signature service that signs Mozilla products.
  • Lando – Mozilla’s automatic code-landing service which allows users to commit Phabricator revisions to their destination repository.
  • Phabricator – a code management tool used for reviewing Firefox code changes.
  • Taskcluster  the task execution framework that supports Mozilla’s continuous integration and release processes.

Mozilla has also offered new Core sites to its program – including Firefox Monitor, a site where users can register their email address so that they can be informed if their account details are part of a data breach. Firefox Monitor, which made waves after it was announced in 2018 on the heels of Mozilla’s partnership with Cloudflare and Have I Been Pwned (HIBP), went into testing earlier this year and has since been released.

Other added “core” websites that are now in-scope include:

  • Localization – a service contributors can use to help localize Mozilla products.
  • Payment Subscription – a service that is used as the interface in front of the payment provide (Stripe).
  • Firefox Private Network – a site from which users can download a desktop extension that helps secure and protect connections everywhere Firefox is used.
  • Ship It – a system that accepts requests for releases from humans and translates them into information and requests that Mozilla’s Buildbot-based release automation can process.
  • Speak To Me – Mozilla’s Speech Recognition API.

Mozilla has continually increased rewards for bug bounty vulnerabilities over the years – the last time being in 2015. Mozilla started its web bounty program in December 2010 and offered rewards of up to $3,000 for certain kinds of vulnerabilities reported in those sites.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

Suggested articles