Tech

Mozilla ramps up bug bounty payments

If you submit a Mozilla Firefox security flaw in the future, you can expect a "dramatic" payment increase.

Written by Charlie Osborne, Contributing Writer June 11, 2015 at 2:30 a.m. PT

Mozilla has increased payouts associated with the firm's Firefox browser bug bounty program.

On Wednesday, the firm announced "dramatic" increases to the financial rewards offered to developers who submit valid security bugs relating to the Mozilla Firefox Internet browser.

Five years ago, the amount awarded to researchers who filed security vulnerabilities was $3000, but the company has now decided it is high time for an increase.

"We have dramatically increased the amount of money that a vulnerability is worth," Mozilla engineer Raymond Forbes said. "On top of that, we took a look at how we decided how much we should pay out."

In addition, Mozilla has moved to a variable payment system, which allows higher payment for vulnerabilities based upon the quality of bug reports, the severity of the security problem and how easily the vulnerability can be exploited.

In the past, security vulnerabilities with "Critical" and "High" severity ratings would be awarded the maximum reward amount of $3,000. This reward has now increased to $7500 with the possibility of going beyond $10,000 for new vulnerabilities and exploits, a new form of exploitation or if a vulnerability is considered "exceptional."

Mozilla will also now pay out on vulnerabilities deemed "Moderate," but the more interesting the better. The general reward range is between $500 and $2,000 per security flaw.

Featured

"This doesn't mean that all Moderate vulnerabilities will be awarded a bounty, but some will," Forbes says.

As cybersecurity is now a hot topic in the technology and business realm and skilled staff are in shortage, credit is now often not enough to guarantee security researchers will spend their time submitting security issues for products when they could be paid well for their time elsewhere.

Companies which offer rewards for third-party flaw submission can benefit from having more trained eyes on their products, and researchers can benefit financially. However, time is money -- and firms must offer reasonable rewards based on what other companies are doing to ensure researchers will consider their bug bounties.

To date, close to $1.6 million has been paid out by the Mozilla Foundation in bug bounty rewards.

Security researchers who wish to submit a flaw must follow Mozilla guidelines. The bug must be original and not previously reported, the vulnerability must be a remote exploit, the cause of a privilege escalation, or an information leak, and the submitter must not be the author of buggy code or otherwise involved in the Mozilla project.

In the case of existing bugs which are proven to be exploitable through additional research, there is also the possibility of a payout. Mozilla says in its guidelines:

"Research might also uncover extremely severe, complex, or interesting problem areas that were previously unreported or unknown issues.

Examples of severe or complex bugs would be: Use After Free bugs that also allow for ASLR bypass; bypassing the Firefox security wrappers to allow content to manipulate browser components, or a vulnerability that allows you to break out of a sandboxed process."

At the same time as the announcement, Mozilla revealed the launch a Firefox Security Bug Bounty Hall of Fame to credit researchers who submit security flaws.