Eligible Websites & Services

Critical

These websites and services are considered critical to Mozilla operations and pay out at the highest bounty rate.

ABSearch

  • search.services.mozilla.com

Add-ons

  • addons.cdn.mozilla.net
  • addons.mozilla.org
  • blocklist.addons.mozilla.org
  • builder.addons.mozilla.org
  • compatibility-lookup.services.mozilla.com
  • discovery.addons.mozilla.org
  • services.addons.mozilla.org
  • static.addons.mozilla.net
  • versioncheck-bg.addons.mozilla.org
  • versioncheck.addons.mozilla.org

Bedrock (www)

  • www.firefox.com
  • www.getfirefox.com
  • www.mozilla.com
  • www.mozilla.org

Bugzilla

  • bugzilla.mozilla.org
  • *.bmoattachments.org (excludes XSS and open redirects)

Please do not use automated scanners, create, or modify bugs when testing Bugzilla.
Instead, install your own local copy for testing from webtools-bmo-bugzilla or use our development instance.

Crash Reports

  • crash-reports.mozilla.com
  • crash-reports-xpsp2.mozilla.com
  • crash-stats.mozilla.com

Downloads (Product Delivery)

  • archive.mozilla.org
  • download.mozilla.org

Firefox Accounts

  • accounts.firefox.com
  • api.accounts.firefox.com
  • oauth.accounts.firefox.com
  • profile.accounts.firefox.com
  • verifier.accounts.firefox.com

Firefox Settings (Kinto)

  • firefox.settings.services.mozilla.com
  • webextensions.settings.services.mozilla.com

Firefox Sync

  • *.sync.services.mozilla.com
  • token.services.mozilla.com

Firefox Updates (AUS/Balrug)

  • aus3.mozilla.org
  • aus4.mozilla.org
  • aus5.mozilla.org

Push

  • push.services.mozilla.com
  • updates.push.services.mozilla.com

Shield

  • self-repair.mozilla.org

Source Control

  • hg.mozilla.org (except website, see below)

Test Pilot

  • testpilot.firefox.com

Tracking Protection

  • shavar.services.mozilla.com
  • tracking.services.mozilla.com

Core

Core websites pay out bounties, but at a reduced rate.

Internal

  • login.mozilla.com
  • mana.mozilla.org
  • phonebook.mozilla.org

Observatory

  • http-observatory.security.mozilla.org
  • observatory.mozilla.org
  • tls-observatory.services.mozilla.com

Shield

  • qsurvey.mozilla.com

Source Control

  • hg.mozilla.org (website only)

Taskcluster

  • auth.taskcluster.net
  • aws-provisioner.taskcluster.net
  • cloud-mirror.taskcluster.net
  • cors-proxy.taskcluster.net
  • docs.taskcluster.net
  • events.taskcluster.net
  • github.taskcluster.net
  • hooks.taskcluster.net
  • index.taskcluster.net
  • login.taskcluster.net
  • loop.telemetry.mozilla.org
  • notify.taskcluster.net
  • public-artifacts.taskcluster.net
  • pulse.taskcluster.net
  • purge-cache.taskcluster.net
  • queue.taskcluster.net
  • references.taskcluster.net
  • scheduler.taskcluster.net
  • schemas.taskcluster.net
  • secrets.taskcluster.net
  • statsum.taskcluster.net
  • taskcluster.net
  • tools.taskcluster.net