Eligible Websites & Services

Critical

These websites and services are considered critical to Mozilla operations and pay out at the highest bounty rate.

ABSearch

• search.services.mozilla.com

Add-ons

• addons.cdn.mozilla.net
• addons.mozilla.org
• blocklist.addons.mozilla.org
• builder.addons.mozilla.org
• compatibility-lookup.services.mozilla.com
• discovery.addons.mozilla.org
• services.addons.mozilla.org
• static.addons.mozilla.net
• versioncheck-bg.addons.mozilla.org
• versioncheck.addons.mozilla.org

Autograph

• autograph-edge.prod.mozaws.net
• edge.prod.autograph.services.mozaws.net

Bedrock (www)

• www.firefox.com
• www.getfirefox.com
• www.mozilla.com
• www.mozilla.org

Bugzilla

• bugzilla.mozilla.org
• *.bmoattachments.org (excludes XSS and open redirects)

Please do not use automated scanners, create, or modify bugs when testing Bugzilla.
Instead, install your own local copy for testing from webtools-bmo-bugzilla or use our development instance.

Crash Reports

• crash-reports.mozilla.com
• crash-reports-xpsp2.mozilla.com
• crash-stats.mozilla.com
• symbols.mozilla.org

Downloads (Product Delivery)

• archive.mozilla.org
• download.mozilla.org
• download-installer.cdn.mozilla.net

Firefox Accounts

• accounts.firefox.com
• api.accounts.firefox.com
• oauth.accounts.firefox.com
• profile.accounts.firefox.com
• verifier.accounts.firefox.com

Firefox Settings (Kinto)

• firefox.settings.services.mozilla.com
• webextensions.settings.services.mozilla.com

Firefox Sync

• *.sync.services.mozilla.com
• token.services.mozilla.com

Firefox Updates (AUS/Balrog)

• aus3.mozilla.org
• aus4.mozilla.org
• aus5.mozilla.org

Lando

• api.lando.services.mozilla.com
• api-private.lando.services.mozilla.com
• lando.services.mozilla.com

Location Services

• location.services.mozilla.com

Normandy

• self-repair.mozilla.org

Phabricator

• phabricator.services.mozilla.com

Push

• push.services.mozilla.com
• updates.push.services.mozilla.com

Source Control

• hg.mozilla.org (except website, see below)

Taskcluster

• auth.taskcluster.net
• aws-provisioner.taskcluster.net
• cloud-mirror.taskcluster.net
• cors-proxy.taskcluster.net
• docs.taskcluster.net
• ec2-manager.taskcluster.net
• events.taskcluster.net
• github.taskcluster.net
• hooks.taskcluster.net
• index.taskcluster.net
• login.taskcluster.net
• loop.telemetry.mozilla.org
• notify.taskcluster.net
• public-artifacts.taskcluster.net
• pulse.taskcluster.net
• purge-cache.taskcluster.net
• queue.taskcluster.net
• references.taskcluster.net
• schemas.taskcluster.net
• secrets.taskcluster.net
• statsum.taskcluster.net
• taskcluster.net
• tools.taskcluster.net

Tracking Protection

• shavar.services.mozilla.com

Core

Core websites pay out bounties, but at a reduced rate.

Delivery Console

• delivery-console.prod.mozaws.net

Firefox Monitor

• monitor.firefox.com

Internal

• jira.mozilla.com
• login.mozilla.com
• mana.mozilla.org
• phonebook.mozilla.org
• pto.mozilla.org

Localization

• l10n.mozilla.org
• pontoon.mozilla.org

Observatory

• http-observatory.security.mozilla.org
• observatory.mozilla.org
• tls-observatory.services.mozilla.com

Payment Subscription

• prod.fxa.mozilla-subhub.app
• subscriptions.firefox.com

Pocket

• getpocket.com
• api.getpocket.com
• app.getpocket.com
• widgets.getpocket.com

Premium Services

• premium.firefox.com

Private Network

• fpn.firefox.com

Private Relay

• relay.firefox.com

Ship It

• shipit-api.mozilla-releng.net
• shipit.mozilla-releng.net

Source Control

• hg.mozilla.org (website only)

Speak To Me

• speaktome-2.services.mozilla.com
• speaktome.services.mozilla.com

VPN

• vpn.mozilla.org