Bug bounties: Mozilla just doubled its payouts as it tries to attract software vulnerability hunters

Browser-maker ups its payouts for glitches across critical sites and services.
Written by Steve Ranger, Global News Director

Mozilla has doubled the payout across its bug bounty program and added new sites and services to the list in an attempt to attract more attention from the bug-hunting community.

The browser-maker said it has doubled all web payouts for critical, core and other Mozilla sites as part of its web and services bug bounty program page.

Mozilla has also tripled payouts to $15,000 for remote code execution payouts on critical sites and is adding new sites to the program.

SEE: 10 tips for new cybersecurity pros (free PDF)

"As we are constantly improving the services behind Firefox, we also need to ensure that sites we consider critical to our mission get the appropriate attention from the security community," Mozilla said.

Over the last six months Mozilla has added increased the number of sites that qualify for its bug bounty program. New sites include: Autograph, a cryptographic signature service that signs Mozilla products; Lando, Mozilla's new automatic code-landing service; Phabricator, a code management tool used for reviewing Firefox code changes; and the Taskcluster task execution framework.

Mozilla has also extended the list of sites it considers to be core to include Firefox Monitor, Localization, Payment Subscription, Firefox Private Network, Ship It and Speak To Me -- Mozilla's speech recognition API.

While doubling potential bug payouts may make a few more security experts run an eye over Mozilla's sites, it's far from the biggest spender: spotting a critical flaw in Microsoft's new Chromium-based Edge browser could make you $30,000. 

Editorial standards