It has been just over a month since we announced the expansion of our bounty program to include selected web applications. We have received many bug reports and have awarded $40,000. We will make the resolved bugs public shortly as these issues are no longer a threat to the community and our users.
Since the announcement of the web bounty program, we have received many security bug reports for sites outside of the bounty. We want to reiterate the eligible sites and applications for the bounty.
We want to focus our attention on security issues that protect Firefox users. We excluded other sites for various reasons, including: we plan on replacing them, or we have put these systems in a read only state to lessen their impact. Further details can be found on the Web Security Bounty FAQ, which should be reviewed before submitting a web bounty bug.
Thanks to all the bug submitters for their contributions; the program has been a great success. Beyond the monetary rewards, we sent Mozilla T-shirts to an additional 23 people who submitted security bugs that did not qualify for the web bug bounty. We are in the process of triage for the next round of payments and more should be going out soon.
Director of Infrastructure Security