Valid critical and high severity bugs awarded up to $7,500

Jun 10, 2015 11:40 GMT  ·  By

After maintaining the same vulnerability rewards for five years, Mozilla decided to increase its monetary acknowledgement for bugs reported by external security researchers.

The quality of the report, severity of the flaw and a clear description of how it can be exploited are important criteria for setting the value of the reward.

Interesting “moderate” problems are also rewarded

For half a decade, Mozilla offered $3,000 / €2,650 for researchers disclosing Critical and High severity glitches in a responsible manner, but the organization announced on Tuesday a change in the system with variable payouts and an increased maximum amount.

Apart from this, issues rated as “moderate” will also be rewarded between $500 and $2,000 (€450 - €1,800), because the severity level of some interesting ones was sometimes demoted and the reporting researcher would not receive any money for finding them.

“This doesn’t mean that all Moderate vulnerabilities will be awarded a bounty but some will,” Mozilla said in the announcement.

The current cash reward ceiling has been modified so that eligible Critical and High issues receive between $3,000 and $7,500 (€2,650 and €6,650). Earning this money requires providing a high quality report for a clearly exploitable critical flaw.

However, a novel vulnerability accompanied by an exploit, a new form of exploitation or an exceptional security problem may be worth in excess of $10,000 / €8,870.

Bug submission is a simple process

“The bounty program encourages the earliest possible reporting of these potentially exploitable bugs,” the revised description of Mozilla’s Client Bug Bounty Program now reads.

Security researchers can disclose problems via the Bugzilla bug-tracking platform (account needed) and submit the report as confidential.

Providing a proof-of-concept test case is not absolutely necessary, but it would speed up processing the submission. Additional data, such as debug output would also come in handy for assessing the issue and its value.

Also, bug hunters have to notify Mozilla Security Group by email to [email protected] and include the filing number for the problem.