Web and Services Bug Bounty Program


The Mozilla Bug Bounty Program is designed to encourage security research into Mozilla's websites and services and to reward those who find unique and original bugs in our web infrastructure.

Guidelines: Submissions must conform to our general eligibility requirements

Please submit all bug reports via our secure bug reporting process.


Bug Classification Critical sites Core sites Other Mozilla sites1
Remote Code Execution $15000 $5000 $1000
Authentication Bypass2 $6000 $3000 HoF
SQL Injection $6000 $3000 HoF
CSRF3 $5000 $2000 --
XSS4 $5000 $2000 HoF
XXE $5000 $2000 HoF
Domain Takeovers7 $5000 $2000 $5005
Server Side Request Forgery (SSRF)8 $5000 $2000 --
XSS (minor) $2000 $1000 HoF
XSS (blocked by CSP) $1000 HoF --
Clickjacking6 $1000 $500 --
Open Redirects HoF HoF HoF5/--6
  1. Excludes community websites
  2. Includes IDORs that bypass authentication or authorization for significant actions
  3. Significant actions only, such as changing email/passwords, deleting accounts, etc.
  4. Must be able to conduct significant action (i.e., not defacement, phishing, cookie injection, etc.)
  5. For *.mozilla.org, *.mozilla.com, *.mozilla.net, and *.firefox.com.
  6. Lack of clickjacking protection (XFO, CSP) is insufficient to claim a bounty
  7. Requires a proof of concept to be eligible
  8. SSRF must be proven to reach internal network hosts. Pinging Burp Collaborator or performing DNS lookups are not enough to prove SSRF, this is because there could be other services in the middle, such as a reverse proxy or a WAF that send those requests.

Any bounty that receives a payout also obtains inclusion on our Hall of Fame.


Although we still appreciate being notified about them, the following issues fall outside the scope of our bug bounty program:

  • Self-XSS
  • Executing scripts on sandboxed domains (such as bmoattachments or mozillademos)
  • CSRF for non-significant actions (logout, etc.)
  • Clickjacking attacks without a documented series of clicks that produce a vulnerability
  • Spam (including issues related to SPF/DKIM/DMARC)
  • Denial-of-service attacks or issues related to rate limiting
  • Attacks that require social engineering (phishing)
  • Content injection, such as reflected text or HTML tags
  • Missing HTTP headers, except as where their absence fails to mitigate an existing attack
  • Authentication bypasses that require access to software/hardware tokens
  • Vulnerabilities that only affect users with specific browsers (must work either in Firefox or Chrome)
  • Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation)
  • Assumed vulnerabilities based upon version numbers only
  • Source code disclosures, as most of our code is open source
  • Vulnerabilities discovered shortly after their public release
  • Outdated TLS configurations which remain to support downloads from Windows XP systems
  • Blind SSRF reports on services that are designed to load resources from the internet

How To Submit Bugs

Please submit all bug reports via our secure bug reporting process.