Eligible Websites & Services


These websites and services are considered critical to Mozilla operations and pay out at the highest bounty rate.


  • addons.mozilla.org
  • services.addons.mozilla.org
  • versioncheck-bg.addons.mozilla.org
  • versioncheck.addons.mozilla.org


  • bugzilla.mozilla.org

Please do not use automated scanners, create, or modify bugs when testing Bugzilla.
Instead, install your own local copy for testing from webtools-bmo-bugzilla or use our development instance.

Crash Reports

  • crash-reports.mozilla.com
  • crash-stats.mozilla.org

If you are planning to experiment with crash report payloads, please use our crash-stats staging instance and crash-reports staging instance for testing.

Downloads (Product Delivery)

  • archive.mozilla.org
  • download.mozilla.org
  • download-installer.cdn.mozilla.net

Firefox Accounts

  • accounts.firefox.com
  • api.accounts.firefox.com
  • oauth.accounts.firefox.com
  • profile.accounts.firefox.com
  • verifier.accounts.firefox.com

Firefox Settings (Kinto)

  • firefox.settings.services.mozilla.com
  • webextensions.settings.services.mozilla.com

Firefox Suggest

  • merino.services.mozilla.com

Firefox Sync

  • *.sync.services.mozilla.com
  • token.services.mozilla.com

Firefox Updates (AUS/Balrog)

  • aus5.mozilla.org


  • api.lando.services.mozilla.com
  • api-private.lando.services.mozilla.com
  • lando.services.mozilla.com


  • pontoon.mozilla.org

Location Services

  • location.services.mozilla.com

Mozilla Tile Service

  • contile.services.mozilla.com


  • self-repair.mozilla.org


  • phabricator.services.mozilla.com


  • push.services.mozilla.com
  • updates.push.services.mozilla.com

Source Control

  • hg.mozilla.org (except website, see below)

Taskcluster - Firefox CI

  • firefox-ci-tc.services.mozilla.com

Tracking Protection

  • shavar.services.mozilla.com


Core websites pay out bounties, but at a reduced rate.

Bedrock (www)

  • www.mozilla.org

Please use our staging instance for testing to avoid site disruption.

Firefox Monitor

  • monitor.firefox.com


  • hubs.mozilla.com
  • reticulum.io
  • *.reticulum.io

Payment Subscription

  • subscriptions.firefox.com


The scope for Pocket in this program is limited to the targets below. Any API endpoint or path not explicitly mentioned is considered out of scope.

Also note that the Pocket iOS and MacOS applications are currently out of scope.

  • Pocket Web application under the following paths:
    • getpocket.com/home
    • getpocket.com/account
    • getpocket.com/discover
    • getpocket.com/collections
    • getpocket.com/saves/*
    • getpocket.com/read/*
    • getpocket.com/premium/*
  • The following API endpoints:
    • getpocket.com/v3/add
    • getpocket.com/v3/send
    • getpocket.com/v3/get
  • Pocket Android Application
  • Pocket Web Extension

Private Relay

  • relay.firefox.com

Source Control

  • hg.mozilla.org (website only)


  • support.mozilla.org

Please use our staging instance for testing to avoid disrupting users.

Taskcluster - Community and Staging Instances

  • stage.taskcluster.nonprod.cloudops.mozgcp.net
  • community-tc.services.mozilla.com


  • vpn.mozilla.org