{"id":2524,"date":"2019-11-19T07:10:26","date_gmt":"2019-11-19T15:10:26","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2524"},"modified":"2019-11-19T07:10:26","modified_gmt":"2019-11-19T15:10:26","slug":"updates-to-the-mozilla-web-security-bounty-program","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/","title":{"rendered":"Updates to the Mozilla Web Security Bounty Program"},"content":{"rendered":"<p>Mozilla was one of the first companies to <a href=\"https:\/\/blog.mozilla.org\/press\/2004\/08\/mozilla-foundation-announces-security-bug-bounty-program\/\">establish a bug bounty program<\/a> and we continually adjust it so that it stays as relevant now as it always has been. To celebrate the 15 years of the 1.0 release of Firefox, we are making significant enhancements to the web bug bounty program.<\/p>\n<h2>Increasing Bounty Payouts<\/h2>\n<p>We are <b>doubling<\/b> all web payouts for critical, core and other Mozilla sites as per the <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/web-bug-bounty\/\">Web and Services Bug Bounty Program page<\/a>. In addition we are <b>tripling payouts<\/b> to $15,000 for Remote Code Execution payouts on <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/bug-bounty\/web-eligible-sites\/#critical-sites\">critical sites<\/a>!<\/p>\n<h2>Adding New Critical Sites to the Program<\/h2>\n<p>As we are constantly improving the services behind Firefox, we also need to ensure that sites we consider <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/bug-bounty\/web-eligible-sites\/#critical-sites\">critical<\/a> to our mission get the appropriate attention from the security community. Hence we have extended our web bug bounty program by the following sites in the last 6 months:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/mozilla-services\/autograph\">Autograph<\/a> &#8211; a cryptographic signature service that signs Mozilla products.<\/li>\n<li><a href=\"https:\/\/moz-conduit.readthedocs.io\/en\/latest\/lando-user.html\">Lando<\/a> &#8211; Mozilla\u2019s new automatic code-landing service which allows us to easily commit Phabricator revisions to their destination repository.<\/li>\n<li><a href=\"https:\/\/wiki.mozilla.org\/Phabricator\">Phabricator<\/a> &#8211; a code management tool used for reviewing Firefox code changes.<\/li>\n<li><a href=\"https:\/\/docs.taskcluster.net\/docs\">Taskcluster<\/a>\u00a0 the task execution framework that supports Mozilla&#8217;s continuous integration and release processes (promoted from core to critical).<\/li>\n<\/ul>\n<h2>Adding New Core Sites to the Program<\/h2>\n<p>The sites we consider <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/bug-bounty\/web-eligible-sites\/#core-sites\">core<\/a> to our mission have also been extended to include:<\/p>\n<ul>\n<li><a href=\"https:\/\/blog.mozilla.org\/blog\/2018\/09\/25\/introducing-firefox-monitor-helping-people-take-control-after-a-data-breach\/\">Firefox Monitor<\/a> &#8211; a site where you can register your email address so that you can be informed if your account details are part of a data breach.<\/li>\n<li><a href=\"https:\/\/mozilla-l10n.github.io\/localizer-documentation\/\">Localization<\/a> &#8211; a service contributors can use to help localize Mozilla products.<\/li>\n<li><a href=\"https:\/\/github.com\/mozilla\/subhub\">Payment Subscription<\/a> &#8211; a service that is used as the interface in front of the payment provide (Stripe).<\/li>\n<li><a href=\"https:\/\/private-network.firefox.com\/\">Firefox Private Network<\/a> &#8211; a site from which you can download a desktop extension that helps secure and protect your connection everywhere you use Firefox.<\/li>\n<li><a href=\"https:\/\/wiki.mozilla.org\/ReleaseEngineering\/Applications\/Ship_It\">Ship It<\/a> &#8211; a system that accepts requests for releases from humans and translates them into information and requests that our Buildbot-based release automation can process.<\/li>\n<li><a href=\"https:\/\/github.com\/mozilla\/speech-proxy\">Speak To Me<\/a> &#8211; Mozilla\u2019s Speech Recognition API.<\/li>\n<\/ul>\n<p>The new payouts have already been applied to the most recently reported web bugs.<\/p>\n<p>We hope the new sites and increased payments will encourage you to have another look at our sites and help us keep them safe for everyone who uses the web.<\/p>\n<p>Happy Birthday, Firefox. And happy bug hunting to you all!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mozilla was one of the first companies to establish a bug bounty program and we continually adjust it so that it stays as relevant now as it always has been. &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/\">Read more<\/a><\/p>\n","protected":false},"author":523,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[45514,45498],"coauthors":[311734],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Updates to the Mozilla Web Security Bounty Program - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Simon Bennetts\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/\",\"name\":\"Updates to the Mozilla Web Security Bounty Program - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2019-11-19T15:10:26+00:00\",\"dateModified\":\"2019-11-19T15:10:26+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e2ed1c7653cf96cbac609f05f8197420\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Updates to the Mozilla Web Security Bounty Program\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e2ed1c7653cf96cbac609f05f8197420\",\"name\":\"Simon Bennetts\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/e0a8997361dbe497c8817fa291282996\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e1ecdd76c9fe0ae3ef1397787a126148?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e1ecdd76c9fe0ae3ef1397787a126148?s=96&d=identicon&r=g\",\"caption\":\"Simon Bennetts\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Updates to the Mozilla Web Security Bounty Program - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/","twitter_misc":{"Written by":"Simon Bennetts","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/","url":"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/","name":"Updates to the Mozilla Web Security Bounty Program - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2019-11-19T15:10:26+00:00","dateModified":"2019-11-19T15:10:26+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e2ed1c7653cf96cbac609f05f8197420"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/19\/updates-to-the-mozilla-web-security-bounty-program\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Updates to the Mozilla Web Security Bounty Program"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e2ed1c7653cf96cbac609f05f8197420","name":"Simon Bennetts","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/e0a8997361dbe497c8817fa291282996","url":"https:\/\/secure.gravatar.com\/avatar\/e1ecdd76c9fe0ae3ef1397787a126148?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e1ecdd76c9fe0ae3ef1397787a126148?s=96&d=identicon&r=g","caption":"Simon Bennetts"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2524"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/523"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2524"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2524\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2524"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}