Introduction

This FAQ attempts to answer various questions about the Mozilla security bug bounty program sponsored by the Mozilla Foundation. For more information see the original announcement and the official guidelines governing the program.

General questions

Eligible software

Eligible bugs

Bug reporting, etc.

General questions

Why is the Mozilla Foundation doing this?

Because we want to encourage more people to find and report security bugs in our products, so that we can make our products even more secure than they already are. It's as simple as that.

Are Mozilla developers eligible for the bug bounty reward?

Yes. Anyone is eligible to receive a reward except for employees of the Mozilla Foundation and its subsidiaries and the creators and reviewers of the code in which the bug was found. However, as noted in the policy, if you found this bug as part of your job (in other words, while being paid to work on Mozilla) then we'd appreciate it if you would not apply for the bounty, in order to preserve our limited funds for rewarding volunteer contributors.

Eligible software

Can I get the bug bounty reward if I discover a bug in Camino, Galeon, K-Meleon, Netscape 7, Mozilla Suite, SeaMonkey, or other products based on Mozilla code?

Only if we can reproduce the problem in the most recent version of Firefox, Firefox for Android, and/or Thunderbird.

Does the bug bounty cover bugs found in Bugzilla, Tinderbox, Bonsai, and other software created and distributed as part of the Mozilla project?

No. We have decided to use our limited resources to focus on our end-user products, as opposed to the other software produced and used by the Mozilla project.

What do you mean by the "most recent version" of Firefox, Firefox for Android, and/or Thunderbird?

In general we mean the releases available for download on the mozilla.org download page at the time the bug was reported. However we will also consider paying rewards for security bugs as discussed in the questions and answers below.

Can I get the bug bounty reward if I discover a bug in an older release of Firefox, Firefox for Android, and/or Thunderbird?

In general bugs found in earlier releases are eligible for a reward only if we can reproduce the problem using the most recent version.

However as a special exception we will also consider paying rewards for bugs found in the most recent releases from designated stable branches (e.g., from the Mozilla 17 Extended Support Release branch while supported) if the bugs are not present in the most recent version but were never recognized and fixed as security bugs. (For example, the bug might be in code associated with a feature that was removed and/or heavily modified in the most recent version, and might have been "fixed" solely as a byproduct of other unrelated changes.)

Can I get the bug bounty reward if I discover a bug in a pre-release version of Firefox, Firefox for Android, or Thunderbird?

Yes, as long as the bug otherwise meets the published bug bounty program guidelines. Bugs found in Aurora and Beta releases of Firefox and Firefox for Android, EarlyBird and Beta releases of Thunderbird are eligible as long the bug is reproducible in the latest nightly mozilla-central build and has not been previously reported.

Can I get the bug bounty reward if I discover a bug that occurs in a third-party release of Firefox, Firefox for Android, and/or Thunderbird (e.g., a localized build, optimized build, or third-party Firefox, Firefox for Android, or Thunderbird distribution)?

Yes, if the bug can be reproduced in an official Mozilla Foundation release and otherwise meets the published guidelines.

Can I get the bug bounty reward if I discover a bug that occurs only on a particular operating system?

Yes, if the operating system is officially supported by the most recent version of the product for which you're reporting the bug. (For a list of supported operating systems and hardware configurations see the system requirements for the Firefox , Firefox for Android, and Thunderbird.)

Eligible bugs

What types of security bugs are eligible?

Reproducible security bugs that are determined to be rated sec-critical or sec-high are eligible. In general we consider critical security bugs to be those that allow execution of arbitrary code on users' systems, while high severity security bugs allow access to users' confidential information. In the latter case we consider bugs to be sec-high only if they potentially expose high-value personal information (e.g., passwords, credit card numbers, and the like); in the context of the bug bounty program we do not consider bugs to be sec-high if they potentially expose only lower-value information (e.g., browsing history) or information that would be useful primarily for other exploits (e.g., the names of files or directories on the user's system).

Finally, in general we do not consider bugs that permit only denial of service attacks to be eligible in the sense described above.

Why won't you provide a reward for denial of service (DoS) bugs?

Because DoS bugs are generally less serious than other security bugs (e.g., they typically do not lead to corruption or destruction of user data, much less theft of data), and in many cases a DoS attack does not involve an actual bug but simply misuse of standard product features (e.g., putting up a web site with an excessive number of graphics, sending excessively long mail messages, etc.). We have decided to concentrate our limited resources on rewarding people who find what we consider to be more serious security problems.

Bug reporting, etc.

I've already published information about the bug, and didn't go through the Mozilla bug process; can I still get a reward?

Yes, as long as the bug report occurred after the official announcement of the bug bounty program on August 2, 2004, and otherwise meets the published bug bounty program guidelines (e.g., the bug has not been reported previously and is reproducible in the most recent version of the affected product).

However we do encourage people to report bugs directly to the Mozilla project, in order to ensure that the bug is made known as soon as possible to the people who can fix it.

If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).

I don't have the time or desire to work with you further in investigating and fixing the bug; can I still get a bug bounty reward?

Yes. Again, we're rewarding you for finding a bug, not trying to buy your cooperation. However we do invite you to work together with us, and we hope that you'll accept that offer in the spirit in which it was intended. In return you'll get the opportunity to work as a full member of the team fixing your bug and see "from the inside" exactly how Mozilla security bugs get resolved.