A vulnerability reward program has been in place at Mozilla since 2004. Between 2017 and 2019, the organization paid researchers about $ 1 million for 350 different bugs. Although the average award for this period is approximately $ 2,700, the most commonly awarded amount is $ 4,000.
At the end of 2019, in honor of the fifteenth anniversary of the Firefox browser, Mozilla was already expanding its bug bounty program, extending it to a number of new sites and services. Then payments for remote code execution on critical sites were immediately tripled - up to $ 15,000.
Now Mozilla representatives have reported that the bug bounty is once again making changes that are pleasing to researchers.
So, from now on, researchers can get up to $ 10,000 for detecting the most critical vulnerabilities (if the description of the problem is accompanied by a high-quality report). Such vulnerabilities include, for example, escaping from the sandbox or executing arbitrary code.
Other serious problems, such as violation of the integrity of information in memory, bypassing the same origin, which leads to leakage of user data, and obtaining the IP address of a user with a proxy server configured, can now bring researchers from 3000 to 5000 dollars.
In addition, Mozilla reports that now the hunters can report the same vulnerabilities (independently of each other), and no one will remain offended. The fact is that this is a very common problem among researchers: experts carefully examine Firefox Nightly builds, and often several people find the same vulnerabilities with a difference of only a few hours. Now Mozilla decided that the reward for such errors would be shared among all researchers who reported the problem within 72 hours after submitting the first bug report.