Mozilla bumps up bounty for bug hunters

The project is now offering up to $3,000 for reports of high-risk security vulnerabilities in its software, as part of its Bug Bounty security programme
Written by Ben Woods, Contributor

Mozilla has revamped its Bugs Bounty Security Program for the first time since the scheme's launch in 2004, increasing six-fold the reward for reporting security flaws to the company.

The decision to increase to the reward from $500 (£328) to $3,000 is part of a move to explicitly encompass a broader range of software. Mozilla's staple Thunderbird and Firefox software are still included in the scheme, which now also covers Firefox Mobile and Mozilla services that rely on any of its key applications.

"A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," said Lucas Adamski, the project's director of security engineering, in a post to the Mozilla blog on Thursday.

Mozilla's move comes after security researchers criticised Google's $500 reward for finding bugs in Chromium as too low, calling the amount "ridiculous". Announced at the end of January, Google's scheme also offers $1,337 for information about particularly severe or "particularly clever" bugs, the company said at the time.

The increased bounty applies to all critical or high-risk bugs found since 1 July, 2010, though in order to qualify, the flaws must be remotely exploitable. Mozilla's bug-reporting terms do not require private disclosure to the project; instead, it allows them to retain control of how and when they reveal vulnerability information.

However, the company does reserve the right to withhold payment for bug discovery if "the reporter is deemed to have acted against the best interests of our users," Adamski explained in the blog.

Beta and final release software versions are covered under the Bugs Bounty Security Program, but bugs found in the now unsupported Mozilla Suite programme are not.

Mozilla is on the list of software makers in VeriSign's Vulnerability Contributor Program (VCP), which pays security researchers for valid reports of flaws. Compensation "can range from hundreds to thousands of dollars", according to the VCP website, which means a bug hunter might be able to get more cash from the security company than it would from Mozilla. Tipping Point's Zero Day Initiative has a similar scheme.. 

Editorial standards