5587 policies in database
Link to program      
2020-01-24
2020-01-25
Web and Services Bug Bounty Program — Mozilla logo
Thank
Gift
HOF
Reward

Web and Services Bug Bounty Program — Mozilla

Menu

  • Mozilla Security
  • Web Bug Bounty

Mozilla Security

Client Bug Bounty

Web Bug Bounty

Web and Services Bug Bounty Program

Introduction

The Mozilla Bug Bounty Program is designed to encourage security research into Mozilla's websites and services and to reward those who find unique and original bugs in our web infrastructure.

Please submit all bug reports via our secure bug reporting process.

Payouts

Bug Classification | Critical sites | Core sites | Other Mozilla sites1
---|---|---|---
Remote Code Execution | $15000 | $5000 | $1000
Authentication Bypass2 | $6000 | $3000 | HoF
SQL Injection | $6000 | $3000 | HoF
CSRF3 | $5000 | $2000 | --
XSS4 | $5000 | $2000 | HoF
XXE | $5000 | $2000 | HoF
Domain Takeovers | $5000 | $2000 | $500/$2005
XSS (minor) | $2000 | $1000 | HoF
XSS (blocked by CSP) | $1000 | HoF | --
Clickjacking6 | $1000 | $500 | --
Open Redirects | HoF | HoF | HoF/--5

  1. Excludes community websites
  2. Includes IDORs that bypass authentication or authorization for significant actions
  3. Significant actions only, such as changing email/passwords, deleting accounts, etc.
  4. Must be able to conduct significant action (i.e., not defacement, phishing, cookie injection, etc.)
  5. For domains falling outside .mozilla.org, .mozilla.com, .mozilla.net, and .firefox.com
  6. Lack of clickjacking protection (XFO, CSP) is insufficient to claim a bounty

Any bounty that receives a payout also obtains inclusion on our Hall of Fame.

Exclusions

Although we still appreciate being notified about them, the following issues fall outside the scope of our bug bounty program:

  • Self-XSS
  • Executing scripts on sandboxed domains (such as bmoattachments or mozillademos)
  • CSRF for non-significant actions (logout, etc.)
  • Clickjacking attacks without a documented series of clicks that produce a vulnerability
  • Spam (including issues related to SPF/DKIM/DMARC)
  • Denial-of-service attacks or issues related to rate limiting
  • Attacks that require social engineering (phishing)
  • Content injection, such as reflected text or HTML tags
  • Missing HTTP headers, except as where their absence fails to mitigate an existing attack
  • Authentication bypasses that require access to software/hardware tokens
  • Vulnerabilities that only affect users with specific browsers (must work either in Firefox or Chrome)
  • Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation)
  • Assumed vulnerabilities based upon version numbers only
  • Source code disclosures, as most of our code is open source
  • Vulnerabilities discovered shortly after their public release
  • Outdated TLS configurations which remain to support downloads from Windows XP systems

How To Submit Bugs

Please submit all bug reports via our secure bug reporting process.

In Scope

Scope Type Scope Name
web_application

*.mozilla.org

web_application

*.mozilla.com

web_application

*.mozilla.net

web_application

*.firefox.com


This program crawled on the 2020-01-24 is sorted as bounty.

FireBounty © 2015-2020

Legal notices