Exploit mitigation bugs that work without relying on privileged access will be eligible for a 50% bonus.
“While previously, bypassing a mitigation in a testing scenario – such as directly testing the HTML Sanitizer – would be classified as a sec-low or sec-moderate, it will now be eligible for a bounty equivalent to a sec-high,” Mozilla explains in a blog post.
“Additionally, if the vulnerability is triggerable without privileged access, this would count as both a regular security vulnerability eligible for a bounty and a mitigation bypass, earning a bonus payout.”
Another change, also announced on August 18, sees the introduction of a policy to pay out on security bugs discovered by external researchers in the pre-release Nightly versions of Firefox, after a four-day grace period.
“We still want to encourage bounty hunting on Nightly – even if other bounty programs don’t – but issuing bounties for obvious transient issues we find ourselves is not improving the state of Firefox security or encouraging novel fuzzer improvements,” Mozilla explained.
Restructuring
The latest changes follow a major revamp to Mozilla’s bug bounty program back in April that offered higher payouts and ditched the previous ‘first reporter wins’ policy in favor of shared financial rewards.
Earlier this month, the Firefox-maker announced a restructuring plan that will result in the loss of 250 jobs.
Mozilla’s Mitchell Baker blamed “economic conditions resulting from the global pandemic have significantly impacted our revenue” for the losses.
Mozilla told The Daily Swig that its ongoing restructuring would have no affect its bug bounty strategy.
“Our latest Bug Bounty Program update is part of a broader initiative that aims to enhance collaboration with researchers by sharing our work and opening it up for scrutiny from established as well as emerging security researchers in the bug bounty community,” it said. “Security of our users remains integral to our work on Firefox. We are moving forward with the program as originally planned.”
This post was originally published by The Daily Swig on portswigger.net