Web and Services Bug Bounty Program

Introduction

The Mozilla Bug Bounty Program is designed to encourage security research into Mozilla's websites and services and to reward those who find unique and original bugs in our web infrastructure.

Payouts

Bug Classification Critical sites Core sites Other Mozilla sites1
Remote Code Execution $5000 $2500 $500
Authentication Bypass2 $3000 $1500 HoF
SQL Injection $3000 $1500 HoF
CSRF3 $2500 $1000 --
XSS4 $2500 $1000 HoF
XXE $2500 $1000 HoF
Domain Takeovers $2500 $1000 $250/$1005
XSS (minor) $1000 $500 HoF
XSS (blocked by CSP) $500 HoF --
Clickjacking6 $500 $250 --
Open Redirects HoF HoF HoF/--5
  1. Excludes community websites
  2. Includes IDORs that bypass authentication or authorization for significant actions
  3. Significant actions only, such as changing email/passwords, deleting accounts, etc.
  4. Must be able to conduct significant action (i.e., not defacement, phishing, cookie injection, etc.)
  5. For domains falling outside *.mozilla.org, *.mozilla.com, *.mozilla.net, and *.firefox.com
  6. Lack of clickjacking protection (XFO, CSP) is insufficient to claim a bounty

Any bounty that receives a payout also obtains inclusion on our Hall of Fame.

Exclusions

Although we still appreciate being notified about them, the following issues fall outside the scope of our bug bounty program:

  • Self-XSS
  • Executing scripts on sandboxed domains (such as bmoattachments or mozillademos)
  • CSRF for non-significant actions (logout, etc.)
  • Clickjacking attacks without a documented series of clicks that produce a vulnerability
  • Spam (including issues related to SPF/DKIM/DMARC)
  • Denial-of-service attacks or issues related to rate limiting
  • Attacks that require social engineering (phishing)
  • Content injection, such as reflected text or HTML tags
  • Missing HTTP headers, except as where their absence fails to mitigate an existing attack
  • Authentication bypasses that require access to software/hardware tokens
  • Vulnerabilities that only affect users with outdated browsers
  • Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation)
  • Assumed vulnerabilities based upon version numbers only
  • Source code disclosures, as most of our code is open source
  • Vulnerabilities discovered shortly after their public release
  • Outdated TLS configurations which remain to support downloads from Windows XP systems

How To Submit Bugs

The sooner we can reproduce and fix the bug, the sooner we can fix it and send you your bounty. Please submit all bugs through the Bugzilla web bounty form. Do not send vulnerabilities via email and please avoid using video.

There are three main things you can provide which will help us to evaluate your submission quickly and pay a bounty sooner:

  1. What is the attack scenario?
  2. What is the step-by-step exploit process?
  3. What is the security impact?

Once you have written your step-by-step instructions, repeat the attack by following them exactly. This helps prevent errors and omissions in your submission.

We prefer to receive bug reports in English. If English is not your native language and you are not fluent, please submit bugs in your native language. Please note that this may delay our response time.

Eligibility

All security bugs must follow the following general criteria to be eligible:

  • Security bug must be original and previously unreported.
  • Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project.
  • Employees of the Mozilla Foundation and its subsidiaries are ineligible.

If a bug is reported by a team or by multiple researchers simultaneously, the bounty will be split evenly amongst them.