Skip the navigation

Mozilla hikes Firefox bug bounties to $3K

Increases payment for reported vulnerabilities six-fold

July 16, 2010 11:47 AM ET

Computerworld - Mozilla on Thursday boosted bug bounty payments six-fold by increasing the standard cash award to $3,000.

The new bounty for vulnerabilities in Firefox, Firefox Mobile and Thunderbird is also six times the normal payment by Google for flaws in its Chrome browser, and more than double the maximum $1,337 that Google pays for the most severe bugs.

Mozilla and Google are the only browser makers that pay security researchers for reporting vulnerabilities in their products.

"A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," said Lucas Adamski, director of security engineering. Mozilla kicked off its bounty program in August 2004.

In an e-mail reply to questions, Adamski later Friday said Mozilla picked $3,000 as the new bounty after talking to researchers, saying it was "a number that we felt would fairly compensate them for their efforts."

Only bugs that Mozilla ranks "crucial" or "high" -- its top two ratings -- are eligible for payment. In Mozilla's hierarchy, critical vulnerabilities are those that allow remote code execution; in other words, ones that when exploited give the attacker full control of the machine. High vulnerabilities are those that expose "high-value" personal information, such as usernames, passwords and credit card numbers. Denial-of-service flaws are not eligible for a bounty, Mozilla said.

Google launched its own cash-for-flaws program in January 2010, paying $500 for most bugs. Some vulnerabilities, however, earn their discoverer $1,000, or even $1,337, the latter given only to bugs that Chrome's team judge's "particularly severe or particularly clever."

The last time Google paid bounties was July 2, when it handed out $2,500 to a pair of researchers for reporting four vulnerabilities.

Bugs in the Mozilla Suite, which the Mozilla Foundation dropped in 2005 -- will no longer be eligible for bounties, said Adamski. But vulnerabilities in Firefox Mobile, Mozilla's mobile browser, as well as any Mozilla services that Firefox or Thunderbird rely on for safe operation, are eligible.

Mozilla also added new language to its reward policy that gives it some new flexibility.

"Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla's end users," the revised guidelines now state.

Adamski noted that change in his blog posting, but did not elaborate. He also later declined to provide more information on the scenarios that might make Mozilla invoke the new clause.

Researchers may have questions for Mozilla about the new language, since the FAQ for the bounty program says that they don't have to wait for patches to be built and applied to, say, Firefox before they go public with their information.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!