Mozilla increases rewards given out to bug hunters
Once again the Mozilla Foundation has upped the bounties it offers to researchers who find and responsibly disclose vulnerabilities in Firefox.
“Those of us on the Bug Bounty Committee did an evaluation of the Firefox bug bounty program as it stands and decided it was time for a change,” says Raymond Forbes, an application security engineer at Mozilla. “The amount awarded was increased to $3000 five years ago and it is definitely time for this to be increased again.”
So, from now on, bug hunters who deliver a high quality bug report (with details on exploitation) on a clearly exploitable, critical vulnerability can earn as much as $7,500.
Those who provide a high quality report (including minimized test cases and clear stack traces) of a critical or high vulnerability can get up to $5,000, and those who provide a minimal report (fuzzer report or a crash dump) on high or critical vulnerability will get at least $3,000.
Also, for the first time ever, the committee will begin awarding bounties for medium vulnerabilities ($500 – $2500). Forbes explained that was because some researchers would submit reports about vulnerabilities that they believed to be severe, but would ultimately be rated as moderate, and they would not be rewarded for their efforts.
These newest changes don’t mean that all moderate vulnerabilities will be awarded a bounty, but some will, he pointed out.
More details on how to participate in the program can be found here .
Mozilla Foundation has one of the most long-standing bug bounty programs (since 2004). In 2010, they extended the bug bounty program to encompass vulnerabilities in its web proprieties and services, and little over a year ago they started a topical bug bounty program that rewarded researchers that discovered critical security flaws in a certificate verification library meant to be implemented in the company’s products.
So far, the Foundation has paid out close to 1.6 million dollars in bounties.