{"id":424,"date":"2010-12-14T14:57:13","date_gmt":"2010-12-14T21:57:13","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=424"},"modified":"2010-12-14T14:57:13","modified_gmt":"2010-12-14T21:57:13","slug":"adding-web-applications-to-the-security-bug-bounty-program","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/","title":{"rendered":"Adding Web Applications to the Security Bug Bounty Program"},"content":{"rendered":"

Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web application vulnerabilities on selected sites<\/a>.\u00a0 We are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities.<\/p>\n

We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research.<\/p>\n

This new policy will go into effect starting December 15th, 2010 PST, and any new web application bugs will fall under this new policy. It is important to note that nothing else has changed with the original security bounty program and the updated amount which was announced back in July.<\/p>\n

The Web Security Bounty FAQ<\/a> includes which types of vulnerabilities will be considered and which sites will be considered to be apart of the Web Application Bounty Program.<\/p>\n

The full text of the security bounty program:
\nhttp:\/\/www.mozilla.org\/security\/bug-bounty.html<\/a><\/p>\n

Chris Lyon
\nDirector of Infrastructure Security<\/p>\n","protected":false},"excerpt":{"rendered":"

Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web applications vulnerabilities. So we are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. Read more<\/a><\/p>\n","protected":false},"author":175,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[45514,335],"coauthors":[],"yoast_head":"\nAdding Web Applications to the Security Bug Bounty Program - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chris Lyon\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/\",\"name\":\"Adding Web Applications to the Security Bug Bounty Program - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2010-12-14T21:57:13+00:00\",\"dateModified\":\"2010-12-14T21:57:13+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ea919a02109b25695672251a83c2120e\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Adding Web Applications to the Security Bug Bounty Program\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ea919a02109b25695672251a83c2120e\",\"name\":\"Chris Lyon\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/feee60d163cdfc62fe2d9c5d49cae0ec\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/279c764abcbdce6373555f5fbc43f327?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/279c764abcbdce6373555f5fbc43f327?s=96&d=identicon&r=g\",\"caption\":\"Chris Lyon\"},\"description\":\"Director of Infrastructure Security\",\"sameAs\":[\"http:\/\/cslyon.net\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Adding Web Applications to the Security Bug Bounty Program - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/","twitter_misc":{"Written by":"Chris Lyon","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/","url":"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/","name":"Adding Web Applications to the Security Bug Bounty Program - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2010-12-14T21:57:13+00:00","dateModified":"2010-12-14T21:57:13+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ea919a02109b25695672251a83c2120e"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2010\/12\/14\/adding-web-applications-to-the-security-bug-bounty-program\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Adding Web Applications to the Security Bug Bounty Program"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ea919a02109b25695672251a83c2120e","name":"Chris Lyon","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/feee60d163cdfc62fe2d9c5d49cae0ec","url":"https:\/\/secure.gravatar.com\/avatar\/279c764abcbdce6373555f5fbc43f327?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/279c764abcbdce6373555f5fbc43f327?s=96&d=identicon&r=g","caption":"Chris Lyon"},"description":"Director of Infrastructure Security","sameAs":["http:\/\/cslyon.net"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/424"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/175"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=424"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/424\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=424"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}