Client Bug Bounty Program

Introduction

The Mozilla Client Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet software in existence.

General Client Bounty Guidelines

Mozilla will pay a bounty for certain client security bugs, as detailed below. All security bugs must follow the following general criteria to be eligible:

  • Security bug must be original and previously unreported.
  • Security bug must be a remote exploit, the cause of a privilege escalation, or an information leak.
  • Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
  • Employees of the Mozilla Foundation and its subsidiaries are ineligible.

If two or more people report the bug together the reward will be divided among them.

Reward Guidelines

Mozilla will pay a bounty for client and security bugs as detailed below. All security bugs must follow the following general criteria to be eligible:

Eligible security bugs may be present in any of the current main development or released versions of Firefox or Firefox for Android as released by Mozilla Corporation (e.g. Nightly mozilla-central or Beta test versions, as well as the final release product versions)

The security rating given by the Bounty Committee for a bug must be rated a "sec-critical" or a "sec-high" in order for it to be eligible for a bounty. Some "sec-moderate" bugs may be eligible for the bounty as well. (See Security Ratings for details of the rating qualifications.)

All bounties paid will be at the discretion of the Mozilla Bounty Committee. The committee will evaluate the severity of reported issues with the help of engineers who work on the affected code. Security researchers are invited to participate in the assignment of ratings, but final decisions on the rating are at the discretion of the Bounty Committee.

Rewards Amount

The bounty for valid potentially exploitable critical and high security rated client security vulnerabilities will be between $3000 and $7500 (USD) cash reward. The bounty program encourages the earliest possible reporting of these potentially exploitable bugs. A bounty may be paid for some moderate rated client security bugs at the discretion of the Bug Bounty Committee. If a bounty is paid for a moderate rated security issue, the amount will be between $500 and $2000 (US), depending on the severity of impact for the issue as determined by Bug Bounty Committee.

Here are some examples how to receive a higher reward

  • The researcher can demonstrate new classes of attacks, or techniques for bypassing security features
  • Or, if an existing vulnerability can be demonstrated to be exploitable though additional research by the reporter, additional compensation can be earned for the same bug. Research might also uncover extremely severe, complex, or interesting problem areas that were previously unreported or unknown issues. Examples of severe or complex bugs would be: Use After Free bugs that also allow for ASLR bypass; bypassing the Firefox security wrappers to allow content to manipulate browser components, or a vulnerability that allows you to break out of a sandboxed process.

We reserve the right not to pay bounties for security bugs in or caused by additional third party software (e.g. binary plugins, extensions) not bundled by Mozilla in a release.

Novel vulnerability and exploit, new form of exploitation or an exceptional vulnerability High quality bug report with clearly exploitable critical vulnerability1 High quality bug report of a critical or high vulnerability2 Minimum for a high or critical vulnerability3 Medium vulnerability
$10,000+ $7,500 $5,000 $3,000 $500 - $2500

1This is a report that includes details on exploitation of the vulnerability. A good example of this is a vulnerability that can gain remote code execution without the need of another vulnerability.

2This is a high quality report that includes minimized test cases and clear stack traces.

3 This is a bug that includes a fuzzer report or a crash dump.

Claiming a Bug Bounty

To claim a bounty:

  • Make sure you have a Bugzilla account
  • File a bug at bugzilla.mozilla.org describing the security issue.
  • When creating the bug, be sure to check the box near the bottom of the entry form that marks this bug report as confidential.
  • Attach a "proof of concept" testcase, or point to explicit code that identifies the vulnerability or exploit. While not required, such a testcase will help us judge submissions more quickly and accurately.
  • If you have debug output or output from a tool demonstrating the issue, please include it in the bug. (If it is very long, please attach it to the bug as an attached file.)
  • Notify the Mozilla Security Group by email to security@mozilla.org and include the number of the bug you filed and a brief summary of the issue. Do not send the actual vulnerability via email.

We ask that you be available to follow along and provide further information on the bug as needed, and invite you to work together with Mozilla engineers in reproducing, diagnosing, and fixing the bug. As part of this process we will provide you full access to participate in our internal discussions about the bug; for more information read our policy for handling security bugs.