Download Firefox — English (US)

Your system may not meet the requirements for Firefox, but you can try one of these versions:

Download Firefox — English (US)

Your system doesn't meet the requirements to run Firefox.

Your system doesn't meet the requirements to run Firefox.

Please follow these instructions to install Firefox.

Firefox Privacy Notice

Web and Services Bug Bounty Program

Introduction

The Mozilla Bug Bounty Program is designed to encourage security research into Mozilla's websites and services and to reward those who find unique and original bugs in our web infrastructure.

Please submit all bug reports via our secure bug reporting process.

Payouts

Bug Classification Critical sites Core sites Other Mozilla sites1
Remote Code Execution $5000 $2500 $500
Authentication Bypass2 $3000 $1500 HoF
SQL Injection $3000 $1500 HoF
CSRF3 $2500 $1000 --
XSS4 $2500 $1000 HoF
XXE $2500 $1000 HoF
Domain Takeovers $2500 $1000 $250/$1005
XSS (minor) $1000 $500 HoF
XSS (blocked by CSP) $500 HoF --
Clickjacking6 $500 $250 --
Open Redirects HoF HoF HoF/--5
  1. Excludes community websites
  2. Includes IDORs that bypass authentication or authorization for significant actions
  3. Significant actions only, such as changing email/passwords, deleting accounts, etc.
  4. Must be able to conduct significant action (i.e., not defacement, phishing, cookie injection, etc.)
  5. For domains falling outside *.mozilla.org, *.mozilla.com, *.mozilla.net, and *.firefox.com
  6. Lack of clickjacking protection (XFO, CSP) is insufficient to claim a bounty

Any bounty that receives a payout also obtains inclusion on our Hall of Fame.

Exclusions

Although we still appreciate being notified about them, the following issues fall outside the scope of our bug bounty program:

  • Self-XSS
  • Executing scripts on sandboxed domains (such as bmoattachments or mozillademos)
  • CSRF for non-significant actions (logout, etc.)
  • Clickjacking attacks without a documented series of clicks that produce a vulnerability
  • Spam (including issues related to SPF/DKIM/DMARC)
  • Denial-of-service attacks or issues related to rate limiting
  • Attacks that require social engineering (phishing)
  • Content injection, such as reflected text or HTML tags
  • Missing HTTP headers, except as where their absence fails to mitigate an existing attack
  • Authentication bypasses that require access to software/hardware tokens
  • Vulnerabilities that only affect users with specific browsers (must work either in Firefox or Chrome)
  • Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation)
  • Assumed vulnerabilities based upon version numbers only
  • Source code disclosures, as most of our code is open source
  • Vulnerabilities discovered shortly after their public release
  • Outdated TLS configurations which remain to support downloads from Windows XP systems

How To Submit Bugs

Please submit all bug reports via our secure bug reporting process.