Bug Bounty Program FAQ

This FAQ attempts to answer various questions about the Mozilla security bug bounty program sponsored by the Mozilla Foundation. For more information see the official guidelines governing the program.

General questions

Eligible software

Eligible bugs

Bug reporting, etc.

General questions

Why is the Mozilla Foundation doing this?

Because we want to encourage more people to find and report security bugs in our products, so that we can make our products even more secure than they already are. It's as simple as that. For a historical note, you can see the original announcement from 2004.

Are Mozilla developers eligible for the bug bounty reward?

If you don't work for Mozilla Foundation or its subsidiaries, and are not among the creators or reviewers of the code in which the bug was found - Yes. However, if you found this bug as part of your job (in other words, while being paid to work on Mozilla software) then we'd appreciate it if you would not apply for the bounty in order to preserve our limited funds for rewarding volunteer contributors.

Eligible software

What applications are in scope?

The primary applications we offer bounties for are the most recent version of Firefox or Firefox ESR; Firefox for Android, and Firefox for iOS. Bounties may be awarded for Firefox Private Network VPN, Lockwise, Firefox Reality, or other non-Beta end-user products offered by Mozilla; however, whether a bounty is awarded and the amount will be subject to the committee.

Does the bug bounty cover bugs found in Bugzilla, Rust, Rhino, and other software created and distributed as part of the Mozilla project?

No. We have decided to use our limited resources to focus on our end-user products, as opposed to the other software produced and used by the Mozilla project. However, we do offer a Web Bug Bounty for the Mozilla web sites and services we run for Firefox for our users.

What do you mean by the "most recent version" of Firefox, and/or Firefox for Android?

In general we mean the nightly release available for download on the Mozilla ftp site at the time the bug was reported. However we will also consider paying rewards for security bugs as discussed in the questions and answers below.

Can I get the bug bounty reward if I discover a bug in an older release of Firefox and/or Firefox for Android?

In general bugs found in earlier releases are eligible for a reward only if we can reproduce the problem using the most recent version.

However as an exception we will typically also pay a reward for bugs found in the latest versions of our other channels (Release, Beta, and Extended Support Release channels) if the bugs are not present in their most recent version but were never recognized and fixed as security bugs. (For example, the bug might be in code associated with a feature that was removed and/or heavily modified in the most recent version, and might have been "fixed" solely as a byproduct of other unrelated changes.)

Can I get the bug bounty reward if I discover a bug that occurs in a third-party release of Firefox, Firefox and/or Firefox for Android (e.g., a localized build, optimized build, or third-party Firefox or Firefox for Android)?

Yes, if the bug can be reproduced in an official Mozilla Foundation release and otherwise meets the published guidelines.

Can I get the bug bounty reward if I discover a bug that occurs only on a particular operating system?

Yes, if the operating system is officially supported by the most recent version of the product for which you're reporting the bug. (For a list of supported operating systems and hardware configurations see the system requirements for Firefox or Firefox for Android)

Can I get the bug bounty reward for a vulnerability that is only triggerable with non-default preferences?

Ultimately, the reward is determinate on the sec rating assigned (sec-high or sec-moderate/low.) If the preference is exposed via our Preferences Page; we consider that to be a supported configuration for Firefox. If the preference must be configured via about:config or requires other non-standard Operating System configuration, that is typically not considered a supported configuration. Those vulnerabilities will typically not be rated sec-high, and will be evaluated accordingly for a bounty.

Eligible bugs

What types of security bugs are eligible?

Reproducible security bugs that are determined to be rated sec-high or above are eligible. In general we consider high severity security bugs to be those that allow execution of arbitrary code on users' systems or allow access to users' confidential information. In the latter case we consider bugs to be sec-high only if they potentially expose high-value personal information (e.g., passwords, credit card numbers, and the like); in the context of the bug bounty program we do not consider bugs to be sec-high if they potentially expose only lower-value information (e.g., browsing history) or information that would be useful primarily for other exploits (e.g., the names of files or directories on the user's system).

Finally, in general we do not consider bugs that permit only denial of service attacks to be eligible in the sense described above.

Why won't you provide a reward for denial of service (DoS) bugs?

Because DoS bugs are generally less serious than other security bugs (e.g., they typically do not lead to corruption or destruction of user data, much less theft of data), and in many cases a DoS attack does not involve an actual bug but simply misuse of standard product features (e.g., putting up a web site with an excessive number of graphics, sending excessively long mail messages, etc.). We have decided to concentrate our limited resources on rewarding people who find what we consider to be more serious security problems.

Bug reporting, etc.

I've already published information about the bug, and didn't go through the Mozilla bug process; can I still get a reward?

Depending on the manner in which it was published, and the details that were disclosed, it may be possible; however typically we do not pay bounties in situations where developers need to drop existing work to respond to an urgent fix needed due to a public disclosure.

We encourage people to report bugs directly to the Mozilla project, in order to ensure that the bug is made known as soon as possible to the people who can fix it.

Can I receive a bounty for a vulnerability I didn't find?

Sometimes, yes. For example, if you find a Firefox exploit in the wild that uses a previously unknown vulnerability and report it, you can be eligible for a bounty for that vulnerability even though you didn't discover the vulnerability itself.

If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).

I don't have the time or desire to work with you further in investigating and fixing the bug; can I still get a bug bounty reward?

Yes. Again, we're rewarding you for finding a vulnerability, not trying to buy your cooperation. However we invite you to work together with us to resolve the issue; and doing so can increase the reward that is ultimately paid. You'll also get the opportunity to work as a full member of the team fixing your bug and see "from the inside" exactly how Mozilla security bugs get resolved.