Categories: Security

Adding Web Applications to the Security Bug Bounty Program

Chris Lyon

December 14, 2010

Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web application vulnerabilities on selected sites. We are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities.

We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research.

This new policy will go into effect starting December 15th, 2010 PST, and any new web application bugs will fall under this new policy. It is important to note that nothing else has changed with the original security bounty program and the updated amount which was announced back in July.

The Web Security Bounty FAQ includes which types of vulnerabilities will be considered and which sites will be considered to be apart of the Web Application Bounty Program.

The full text of the security bounty program:
http://www.mozilla.org/security/bug-bounty.html

Chris Lyon
Director of Infrastructure Security

Keep up with
all things Firefox.

Your e-mail address

Country

Language

HTML Text

I’m okay with Mozilla handling my info as explained in this Privacy Policy.

We will only send you Mozilla-related information.

Thanks!

If you haven’t previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an e-mail from us.

6 comments on “Adding Web Applications to the Security Bug Bounty Program”

Neal Poole wrote on December 14, 2010 at 6:47 pm:

The FAQ says “Since our code is opensource, you are encourage to run on the software on your own server instance or just look at the source code for potential issues.”

Where can we find the source for these applications?
Wladimir Palant wrote on December 15, 2010 at 12:58 am:

Nice! Too bad my past bug reports aren’t eligible 🙂

@Neal: addons.mozilla.org/versioncheck.addons.mozilla.org is currently using two codebases:
http://viewvc.svn.mozilla.org/vc/addons/ – old PHP-based code
http://jbalogh.github.com/zamboni/ – new Pythong-based rewrite

Most other sites are also there in SVN, e.g. under http://viewvc.svn.mozilla.org/vc/projects/
reed wrote on December 15, 2010 at 10:45 am:

@Neal: It varies… Some are in svn.mozilla.org, while others are in hg.mozilla.org or even github.com/mozilla/. If you have a specific application you want a direct link to the source code for, let me know.
Neal Poole wrote on December 15, 2010 at 4:40 pm:

Sweet, thanks for the links! That’ll be very helpful. 🙂
güvenlik şirkerleri wrote on December 18, 2010 at 4:38 am:

good! ı like mozilla this cause
Semi-Crank wrote on December 25, 2010 at 7:03 am:

the names of the actors posting here seem to change often. not that i care much, but IMHO currently your most valued professional seems to have “a4” in the name. lol.

Neal Poole wrote on December 14, 2010 at 6:47 pm:

Wladimir Palant wrote on December 15, 2010 at 12:58 am:

reed wrote on December 15, 2010 at 10:45 am:

Neal Poole wrote on December 15, 2010 at 4:40 pm:

güvenlik şirkerleri wrote on December 18, 2010 at 4:38 am:

Semi-Crank wrote on December 25, 2010 at 7:03 am: