Adding Web Applications to the Security Bug Bounty Program

Chris Lyon

6

Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web application vulnerabilities on selected sites.  We are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities.

We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research.

This new policy will go into effect starting December 15th, 2010 PST, and any new web application bugs will fall under this new policy. It is important to note that nothing else has changed with the original security bounty program and the updated amount which was announced back in July.

The Web Security Bounty FAQ includes which types of vulnerabilities will be considered and which sites will be considered to be apart of the Web Application Bounty Program.

The full text of the security bounty program:
http://www.mozilla.org/security/bug-bounty.html

Chris Lyon
Director of Infrastructure Security

6 responses

  1. Neal Poole wrote on ::

    The FAQ says “Since our code is opensource, you are encourage to run on the software on your own server instance or just look at the source code for potential issues.”

    Where can we find the source for these applications?

  2. Wladimir Palant wrote on ::

    Nice! Too bad my past bug reports aren’t eligible :)

    @Neal: addons.mozilla.org/versioncheck.addons.mozilla.org is currently using two codebases:
    http://viewvc.svn.mozilla.org/vc/addons/ – old PHP-based code
    http://jbalogh.github.com/zamboni/ – new Pythong-based rewrite

    Most other sites are also there in SVN, e.g. under http://viewvc.svn.mozilla.org/vc/projects/

  3. reed wrote on ::

    @Neal: It varies… Some are in svn.mozilla.org, while others are in hg.mozilla.org or even github.com/mozilla/. If you have a specific application you want a direct link to the source code for, let me know.

  4. Neal Poole wrote on ::

    Sweet, thanks for the links! That’ll be very helpful. :)

  5. güvenlik şirkerleri wrote on ::

    good! ı like mozilla this cause

  6. Semi-Crank wrote on :

    the names of the actors posting here seem to change often. not that i care much, but IMHO currently your most valued professional seems to have “a4″ in the name. lol.