Bug Bounty Program

Introduction

The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence.

Many thanks to Linspire and Mark Shuttleworth, who provided start-up funding for this endeavor.

General Bounty Guidelines

Mozilla will pay a bounty for certain client and service security bugs, as detailed below. All security bugs must follow the following general criteria to be eligible:

  • Security bug must be original and previously unreported.
  • Security bug must be a remote exploit.
  • Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
  • Employees of the Mozilla Foundation and its subsidiaries are ineligible.

If you found the security bug as part of your job (in other words, while being paid to work on Mozilla code) then we would appreciate your not applying for the bounty. Our funds are limited and we would like this program to focus on people who are not otherwise paid to work on the Mozilla project.

Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla's end users.

If two or more people report the bug together the reward will be divided among them.

Client Reward Guidelines

The bounty for valid critical client security bugs will be $3000 (US) cash reward and a Mozilla T-shirt. The bounty will be awarded for sec-critical and sec-high severity security bugs that meet the following criteria:

  • Security bug is present in the most recent main development (i.e., Aurora, Beta or EarlyBird, and nightly mozilla-central releases) or released versions of Firefox, Thunderbird, Firefox for Android, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation.
  • Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.

More information about this program can be found in the Client Security Bug Bounty Program FAQ.

Web Application and Services Reward Guidelines

The bounty for valid web applications or services related security bugs, we are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. We will also include a Mozilla T-shirt. The bounty will be awarded for sec-critical and sec-high security bugs that meet the following criteria:

More information about this program can be found in the Web Application Security Bounty FAQ.

Process

Please file a bug describing the security bug; be sure to check the box near the bottom of the entry form that marks this bug report as confidential. We encourage you to attach a "proof of concept" testcase or link to the bug report that demonstrates the vulnerability. While not required, such a testcase will help us judge submissions more quickly and accurately.

Notify the Mozilla Security Group by email and include the number of the bug you filed and a brief summary. If you cannot file a bug include the full details in the email and attach any proof of concept testcases or links. Mozilla Foundation staff and the Mozilla Security Group will consider your submission for the Security Bug Bounty and will contact you.

We ask that you be available to provide further information on the bug as needed, and invite you to work together with Mozilla engineers in reproducing, diagnosing, and fixing the bug. As part of this process we will provide you full access to participate in our internal discussions about the bug; for more information read our policy for handling security bugs.