Firefox Bug Bounty: Mozilla Raises Payouts and Abandons ‘First Reporter Wins’ Policy

Program overhaul driven by migration to ‘multi-process, sandboxed architecture’
Mozilla is raising payouts for the highest impact security flaws found in Firefox and related projects as part of a bug bounty revamp guided by its “more hardened security stance”.

In an effort to make the policy “more friendly”, the open source browser developer has also clarified payout criteria, and abandoned a “first reporter wins” approach to payouts in favor of sharing the spoils among duplicate reporters.

The non-profit said it would also continue publishing explainers aimed at newbie Firefox testers following its December 2019 post on how HTML sanitization prevents UXSS.

“After adding a new static analysis bounty late last year, we’re excited to further expand our bounty program in the coming year, as well as provide an on-ramp for more participants,” said Mozilla’s Tom Ritter in a post published yesterday (April 23).

“We’re updating our bug bounty policy and payouts to make it more appealing to researchers and reflect the more hardened security stance we adopted after moving to a multi-process, sandboxed architecture.”

Ritter said the previous policy of awarding an entire bounty to the first researcher to report a bug is “very frustrating if you are fuzzing our Nightly builds (which we encourage you to do!) and you find and report a bug mere hours after another reporter.”

The spoils will now be split “between all duplicates submitted within 72 hours of the first report; with prorated amounts for higher quality reports. We hope this will encourage more people to fuzz our Nightly ASAN builds.”

The highest impact bugs – UXSS, sandbox escapes, and bypassing WebExtension install prompts – are now eligible for a baseline $8,000 payout, with high quality reports potentially earning up to $10,000.

Proxy bypass bugs are now eligible for a $3,000 baseline and $5,000 ceiling.

Mozilla, whose bug bounty program launched in 2004, revealed that the average payout between 2017-2019 was $2,775.

Overall, the browser-maker has paid out $965,750 for the disclosure of 348 bugs over the three-year period.

In November 2019, Mozilla doubled web payouts for vulnerabilities impacting critical services and core sites, while tripling payouts for remote code execution (RCE) bugs on critical sites.

The elevated payout tiers reflect rising payouts across the sector, with payouts for critical flaws on HackerOne – the world’s biggest bug bounty platform – nearly doubling to $3,384 last year.

The announcement was also published on Mozilla’s new Attack & Defense blog aimed at engineers, security researchers, and bug bounty hunters.

This post was originally published by The Daily Swig on

Related posts