Mozilla has decided to follow the lead of Google and expand its bug-bounty program to pay for vulnerabilities found on certain of its Web sites, including the site for Firefox and the main Mozilla site.
The group said that bounties for bugs found on the eligible sites will start at $500 and could be as much as $3,000, depending upon the severity and type of bug. Mozilla security officials said that the group has paid researchers for bugs on some Web applications in the past, but that it was typically only for rare or very severe vulnerabilities. That’s going to change, beginning Wednesday, when the new program goes into effect.
“We have only paid on critical or extraordinary web application
vulnerabilities which have a direct impact against the client. We are
now going to include critical and high severity web application
vulnerabilities on selected sites.
We are giving a range starting at $500 (US) for high severity and, in
some cases, may pay up to $3000 (US) for extraordinary or critical
vulnerabilities,” Mozilla’s Chris Lyon, director of infrastructure security, said in a blog post.
“We want to encourage the discovery of security issues within our web
applications with the goal of keeping our users safe. We also want to
reward security researchers for their efforts with the hope of
furthering constructive security research.”
The list of sites that are eligible for the expanded bounty program includes:
In early November, Google extended its own bug bounty program to Web applications, including some of the company’s more prominent sites, such as Google.com, YouTube and Blogger. Google’s top payout for a Web vulnerability is $3133.70.
Like Google, Mozilla has laid out a few ground rules for researchers interested in claiming a reward for a Web bug. Most notably, the company specifies that researchers can’t use automated tools against Mozilla’s sites to find vulnerabilities. It also lists some specific bugs that are eligible for the rewards, including XSS, CSRF and injection vulnerabilities. Mozilla officials said in the FAQ for the expanded program that they don’t require researchers to keep bugs under wraps indefinitely once they’ve reported them to Mozilla.
“We’re rewarding you for finding a bug, not trying to buy
your silence. However if you report the bug through the standard
Mozilla process and haven’t already published information about it then
we do ask that you follow the guidelines set forth in the official
policy on handling
Mozilla security bugs. Under this policy security-sensitive bug
reports in our Bugzilla system may be kept private for a limited period
of time to give us a chance to fix the bug before the bug is made
public, with an option for the bug reporter (or others) to open the bug
to public view earlier whenever circumstances warrant it (e.g., if you feel your
bug report is being completely ignored).However, in the interest of
protecting our users, we would appreciate a reasonable amount of
time to address the issue before the information is publicly disclosed,” the company said.