It’s been long known inside the security community that Mozilla pays out a nice sum to those that find serious vulnerabilities in the Firefox web browser. Now Mozilla has stepped it up, and has raised the bounty from $500 to $3000. Mozilla has also extended the reward to the new Firefox Mobile line, as well as the Thunderbird email client, and other new products.
To become eligible for the the bounty, security experts and “ethical” hackers must find a new and unique, or a previously unknown security vulnerability. Below are guidelines for bug bounty.
- Security bug must be original and previously unreported.
- Security bug must be a remote exploit.
- Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging.
- Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.
- Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
- Employees of the Mozilla Foundation and its subsidiaries are ineligible.
Mozilla started their bounty program back in 200, since then six years has brought a lot of change in the security community. “A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,” wrote the company’s Lucas Adamsk.
You can read more at Mozilla’s blog.