Mozilla, the organization behind the popular Firefox browser, just announced a major refresh of its security bounty program. When Mozilla instituted this program in 2004, the organization paid security researchers $500 for discovering eligible security bugs. For new bugs, Mozilla will now pay $3,000. The organization cites the fact that “the security environment has changed tremendously” as the main reason for the increase. In addition, Mozilla also clarified that the bounty program includes Firefox, as well as the Thunderbird email client and Mozilla’s mobile products like the newly released Firefox Home tool for the iPhone.
To be eligible for the $3,000 reward, bugs must be original and previously unreported. The security bug must also be a remote exploit and can’t be caused by a third-party plugin or extension.
Bugs can be reported confidentially through Mozilla’s bug tracking software, though Mozilla will also pay when researchers disclose security bugs publicly. The organization, however, encourages researchers to disclose these security issues privately.
Only a few Mozilla products are ineligible for the bounty program. The Mozilla Suite, an all-in-one Internet application suite that resembles the old Netscape Communicator product, isn’t eligible, for example, as Mozilla stopped development on this program in 2008.
$1,337: What Others Pay
A number of other companies have established similar bounty programs. Google, for example, pays $500 for “interesting and original” security vulnerabilities in Chrome and $1,337 for severe bugs. Some researchers, however, have called Google’s $500 bounty “insulting.” When Google established this program, it cited Mozilla’s $500 bounty as the reason for choosing this price, so it will be interesting to see if Google will also bring its bug bounty up to $3,000 as well.