Refresh of the Mozilla Security Bug Bounty Program

Lucas Adamski

3

Mozilla launched its security bounty program in 2004 and while the original mission of protecting users by supporting security research has not changed, the security environment has changed tremendously. In recognition of these changes we are updating our security bounty program to better support constructive security research.

For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information.

We have also clarified the products covered under the bounty to better reflect the threats we are focused upon. We still include Firefox and Thunderbird obviously, but we also added Firefox Mobile and any Mozilla services that those products rely upon for safe operation. These are products we have traditionally paid bounties for in a discretionary basis anyway, but we wanted to make that explicit. Release and beta versions of those products are eligible. Mozilla Suite bugs however is no longer eligible, as it is not an officially released nor supported Mozilla product.

In concert with those changes, we are also updating the eligibility language to make it clear that Mozilla reserves the right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users. To be very clear, we are not modifying our position regarding payment for publicly disclosed bugs; Mozilla bounty payments are not contingent upon confidential disclosure. While Mozilla strongly encourages researchers to disclose bugs to us privately (and most researchers have), we also believe that researchers should ultimately retain control over when and how the details of their research are disclosed.

We hope other organizations will match our program and actively support constructive security research.

Full text of the security bounty program: http://www.mozilla.org/security/bug-bounty.html

Security bounty FAQ: http://www.mozilla.org/security/bug-bounty-faq.html

Lucas Adamski
Director of Security Engineering

3 responses

  1. Gordon P. Hemsley wrote on ::

    The FAQ has not been fully updated to reflect the fact that the Bug Bounty program has been refreshed. In particular, it mentions old dates and version numbers.

  2. IVAN wrote on :

    encontrei falhas de segurança no site do inss com a nova versão do mozilla,na parte de geração da guia da previdencia gps, onde a mesma não gerada.

    1. Daniel Veditz wrote on :

      Please mail reports of security problems to security (at) mozilla.org — we can’t respond to those here.