Web and Services Bug Bounty Program


The Mozilla Bug Bounty Program is designed to encourage security research into Mozilla's websites and services and to reward those who find unique and original bugs in our web infrastructure.

Guidelines: Submissions must conform to our general eligibility requirements

Please submit all bug reports via our secure bug reporting process.


Severity Rating Critical sites Core sites Other Mozilla sites1
$6000-$15000 $3000-$5000 $500-$1000
$3000-$6000 $1000-$3000 HoF - $500
$1000-$3000 $500-$1000 HoF
HoF - $1000 HoF - $500 HoF
  1. Excludes community websites

Any bounty that receives a payout also obtains inclusion on our Hall of Fame.

Definition and Examples

Severity Rating Definition and Examples

Critical vulnerabilities are urgent security issues that present an ongoing or immediate danger to the users of our services and our infrastructure

  • Remote Code Execution
  • Authentication and Session Management Flaws (which lead to account compromise)
  • Disclosure of secrets in publicly accessible assets
  • Hardcoded credentials for a privileged user

Typically, high severity issues are exploitable web vulnerabilities that can lead to the targeted compromise of a small number of users.

  • Account takeover through Oauth misconfiguration
  • IDORs that bypass authentication or authorization for significant actions
  • CSRF on significant actions, such as changing email/passwords, deleting accounts, etc.
  • XSS resulting in conducting significant action (i.e., not defacement, phishing, cookie injection, etc.)
  • XML External Entity (XXE) attack
  • Hardcoded credentials for a non-privileged user

Vulnerabilities which can provide an attacker additional information or positioning that could be used in combination with other vulnerabilities. In addition to issues resulting from the lack of standard defense in depth techniques and security controls.

  • XSS (minor)
  • Domain takeovers supported by a proof of concept1
  • SSRF which leads to reaching internal network hosts
  • Disclosure of sensitive information which does not expose the user or organization to immediate risk
  • CSRF for minor actions.

Minor security vulnerabilities which could lead to leaks or spoofs of non-sensitive information. Missing best practice security controls

  • XSS (blocked by CSP)
  • Clickjacking with demonstrated impact (Lack of clickjacking protection (XFO, CSP) is insufficient to claim a bounty)
  • External SSRF
  • EXIF Geolocation Data Not Stripped From Uploaded Images
  • Open Redirects1
  1. For *.mozilla.org, *.mozilla.com, *.mozilla.net, and *.firefox.com in addition to the list of critical and core sites.


Although we still appreciate being notified about them, the following issues fall outside the scope of our bug bounty program:

  • Self-XSS
  • Executing scripts on sandboxed domains (such as bmoattachments or mozillademos)
  • CSRF for non-significant actions (logout, etc.)
  • Clickjacking attacks without a documented series of clicks that produce a vulnerability
  • Spam (including issues related to SPF/DKIM/DMARC)
  • Denial-of-service attacks or issues related to rate limiting
  • Attacks that require social engineering (phishing)
  • Content injection, such as reflected text or HTML tags
  • Missing HTTP headers, except as where their absence fails to mitigate an existing attack
  • Authentication bypasses that require access to software/hardware tokens
  • Vulnerabilities that only affect users with specific browsers (must work either in Firefox or Chrome)
  • Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation)
  • Assumed vulnerabilities based upon version numbers only
  • Source code disclosures, as most of our code is open source
  • Vulnerabilities discovered shortly after their public release
  • Outdated TLS configurations which remain to support downloads from Windows XP systems
  • Blind SSRF reports on services that are designed to load resources from the internet
  • Pocket MacOS application
  • Pocket iOS application until further notice

How To Submit Bugs

Please submit all bug reports via our secure bug reporting process.