Eligible Websites & Services

Critical

These websites and services are considered critical to Mozilla operations and pay out at the highest bounty rate.

Add-ons

  • addons.mozilla.org
  • services.addons.mozilla.org
  • versioncheck-bg.addons.mozilla.org
  • versioncheck.addons.mozilla.org

Bugzilla

  • bugzilla.mozilla.org

Please do not use automated scanners, create, or modify bugs when testing Bugzilla.
Instead, install your own local copy for testing from webtools-bmo-bugzilla or use our development instance.

Crash Reports

  • crash-reports.mozilla.com
  • crash-stats.mozilla.org

Downloads (Product Delivery)

  • archive.mozilla.org
  • download.mozilla.org
  • download-installer.cdn.mozilla.net

Firefox Accounts

  • accounts.firefox.com
  • api.accounts.firefox.com
  • oauth.accounts.firefox.com
  • profile.accounts.firefox.com
  • verifier.accounts.firefox.com

Firefox Settings (Kinto)

  • firefox.settings.services.mozilla.com
  • webextensions.settings.services.mozilla.com

Firefox Suggest

  • merino.services.mozilla.com

Firefox Sync

  • *.sync.services.mozilla.com
  • token.services.mozilla.com

Firefox Updates (AUS/Balrog)

  • aus5.mozilla.org

Lando

  • api.lando.services.mozilla.com
  • api-private.lando.services.mozilla.com
  • lando.services.mozilla.com

Localization

  • pontoon.mozilla.org

Location Services

  • location.services.mozilla.com

Mozilla Tile Service

  • contile.services.mozilla.com

Normandy

  • self-repair.mozilla.org

Phabricator

  • phabricator.services.mozilla.com

Push

  • push.services.mozilla.com
  • updates.push.services.mozilla.com

Source Control

  • hg.mozilla.org (except website, see below)

Taskcluster - Firefox CI

  • firefox-ci-tc.services.mozilla.com

Tracking Protection

  • shavar.services.mozilla.com

Core

Core websites pay out bounties, but at a reduced rate.

ABSearch

  • search.services.mozilla.com

Bedrock (www)

  • www.mozilla.org

Please use our staging instance for testing to avoid site disruption.

Firefox Monitor

  • monitor.firefox.com

Hubs

  • hubs.mozilla.com
  • reticulum.io

Payment Subscription

  • subscriptions.firefox.com

Pocket

The scope for Pocket in this program is limited to the targets below. Any API endpoint or path not explicitly mentioned is considered out of scope.

Also note that the Pocket iOS and MacOS applications are currently out of scope.

  • Pocket Web application under the following paths:
    • getpocket.com/home
    • getpocket.com/account
    • getpocket.com/discover
    • getpocket.com/collections
    • getpocket.com/my-list/*
    • getpocket.com/read/*
    • getpocket.com/premium/*
  • The following API endpoints:
    • getpocket.com/v3/add
    • getpocket.com/v3/send
    • getpocket.com/v3/get
  • Pocket Android Application
  • Pocket Web Extension

Private Relay

  • relay.firefox.com

Source Control

  • hg.mozilla.org (website only)

Support

  • support.mozilla.org

Please use our staging instance for testing to avoid disrupting users.

Taskcluster - Community and Staging Instances

  • stage.taskcluster.nonprod.cloudops.mozgcp.net
  • community-tc.services.mozilla.com

VPN

  • vpn.mozilla.org