Critical
These websites and services are considered critical to Mozilla operations and pay out at the highest bounty rate.
ABSearch
- search.services.mozilla.com
Add-ons
- addons.cdn.mozilla.net
- addons.mozilla.org
- blocklist.addons.mozilla.org
- builder.addons.mozilla.org
- compatibility-lookup.services.mozilla.com
- discovery.addons.mozilla.org
- services.addons.mozilla.org
- static.addons.mozilla.net
- versioncheck-bg.addons.mozilla.org
- versioncheck.addons.mozilla.org
Autograph
- autograph-edge.prod.mozaws.net
- edge.prod.autograph.services.mozaws.net
Bedrock (www)
- www.firefox.com
- www.getfirefox.com
- www.mozilla.com
- www.mozilla.org
Bugzilla
- bugzilla.mozilla.org
- *.bmoattachments.org (excludes XSS and open redirects)
Please do not use automated scanners, create, or modify bugs when testing Bugzilla.
Instead, install your own local copy for testing from webtools-bmo-bugzilla
or use our development instance.
Crash Reports
- crash-reports.mozilla.com
- crash-reports-xpsp2.mozilla.com
- crash-stats.mozilla.com
- symbols.mozilla.org
Downloads (Product Delivery)
- archive.mozilla.org
- download.mozilla.org
- download-installer.cdn.mozilla.net
Firefox Accounts
- accounts.firefox.com
- api.accounts.firefox.com
- oauth.accounts.firefox.com
- profile.accounts.firefox.com
- verifier.accounts.firefox.com
Firefox Settings (Kinto)
- firefox.settings.services.mozilla.com
- webextensions.settings.services.mozilla.com
Firefox Sync
- *.sync.services.mozilla.com
- token.services.mozilla.com
Firefox Updates (AUS/Balrog)
- aus3.mozilla.org
- aus4.mozilla.org
- aus5.mozilla.org
Phabricator
- phabricator.services.mozilla.com
Push
- push.services.mozilla.com
- updates.push.services.mozilla.com
Shield
- self-repair.mozilla.org
Source Control
- hg.mozilla.org (except website, see below)
Taskcluster
- auth.taskcluster.net
- aws-provisioner.taskcluster.net
- cloud-mirror.taskcluster.net
- cors-proxy.taskcluster.net
- docs.taskcluster.net
- ec2-manager.taskcluster.net
- events.taskcluster.net
- github.taskcluster.net
- hooks.taskcluster.net
- index.taskcluster.net
- login.taskcluster.net
- loop.telemetry.mozilla.org
- notify.taskcluster.net
- public-artifacts.taskcluster.net
- pulse.taskcluster.net
- purge-cache.taskcluster.net
- queue.taskcluster.net
- references.taskcluster.net
- schemas.taskcluster.net
- secrets.taskcluster.net
- statsum.taskcluster.net
- taskcluster.net
- tools.taskcluster.net
Tracking Protection
- shavar.services.mozilla.com
- tracking.services.mozilla.com
Core
Core websites pay out bounties, but at a reduced rate.
Delivery Console
- delivery-console.prod.mozaws.net
Firefox Monitor
- monitor.firefox.com
Internal
- login.mozilla.com
- mana.mozilla.org
- phonebook.mozilla.org
- pto.mozilla.org
Localization
- l10n.mozilla.org
- pontoon.mozilla.org
Observatory
- http-observatory.security.mozilla.org
- observatory.mozilla.org
- tls-observatory.services.mozilla.com
- getpocket.com
- api.getpocket.com
Premium Services
- premium.firefox.com
Shield
- qsurvey.mozilla.com
Source Control
- hg.mozilla.org (website only)
