Web Bounty Update

Chris Lyon


It has been just over a month since we announced the expansion of our bounty program to include selected web applications.  We have received many bug reports and have awarded $40,000. We will make the resolved bugs public shortly as these issues are no longer a threat to the community and our users.

Since the announcement of the web bounty program, we have received many security bug reports for sites outside of the bounty. We want to reiterate the eligible sites and applications for the bounty.

  • addons.mozilla.org
  • aus*.mozilla.org
  • bugzilla.mozilla.org
  • download.mozilla.org
  • getpersonas.com
  • pfs.mozilla.org
  • services.addons.mozilla.org
  • versioncheck.addons.mozilla.org
  • www.mozilla.com/org
  • www.firefox.com
  • www.getfirefox.com
  • *.services.mozilla.com

We want to focus our attention on security issues that protect Firefox users.  We excluded other sites for various reasons, including: we plan on replacing them, or we have put these systems in a read only state to lessen their impact. Further details can be found on the Web Security Bounty FAQ, which should be reviewed before submitting a web bounty bug.

Thanks to all the bug submitters for their contributions; the program has been a great success.  Beyond the monetary rewards, we sent Mozilla T-shirts to an additional 23 people who submitted security bugs that did not qualify for the web bug bounty. We are in the process of triage for the next round of payments and more should be going out soon.

Chris Lyon
Director of Infrastructure Security

addons.mozilla.org disclosure

Chris Lyon


On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.

The database included 44,000 inactive accounts using older, md5-based password hashes.  We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.

It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure.  This information was also sent to impacted users by email on December 27th.

Chris Lyon
Director of Infrastructure Security

Adding Web Applications to the Security Bug Bounty Program

Chris Lyon


Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web application vulnerabilities on selected sites.  We are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities.

We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research.

This new policy will go into effect starting December 15th, 2010 PST, and any new web application bugs will fall under this new policy. It is important to note that nothing else has changed with the original security bounty program and the updated amount which was announced back in July.

The Web Security Bounty FAQ includes which types of vulnerabilities will be considered and which sites will be considered to be apart of the Web Application Bounty Program.

The full text of the security bounty program:

Chris Lyon
Director of Infrastructure Security