Home Hacking News Mozilla Jazzes Up Its Firefox Bug Bounty Program With Better Rewards And Duplicate Submissions

Mozilla Jazzes Up Its Firefox Bug Bounty Program With Better Rewards And Duplicate Submissions

by Abeerah Hashim
Mozilla patched BigSig NSS bug

Mozilla now comes with some good news for bug bounty hunters. As revealed, Mozilla has jazzed up their Firefox Bug Bounty Program with higher rewards. They will accept duplicate submissions from the researchers.

Big Rewards In Mozilla Firefox Bug Bounty Program

In a recent post, Mozilla announced changes to their Firefox Bug Bounty Program. The program that dates back to 2004 has rewarded thousands of dollars as bounties to researchers for reporting various bugs. Yet, now, they tend to make the bug bounty program more lucrative.

So now, as stated in their post, they will pay more rewards for higher impact flaws. They have included sandbox escapes and related vulnerabilities in the program with a baseline reward of $8000, awarding up to $10,000 for high-quality reports. Likewise, the proxy bypass bugs will bear a baseline reward of $3000, reaching up to $5000 for high-quality reports.

They also announce that the said bounty rewards aren’t specific. Rather a researcher may earn more for reports with better outcomes. As stated by Mozilla,

A bounty amount is not determined based on your initial submission, but rather on the outcome of the discussion with developers. So improving test cases post-submission, figuring out if an engineer’s speculation is founded or not, or other assistance that helps resolve the issue will increase your bounty payout.

Accepting Duplicate Submissions

Another interesting update in their bug bounty program is the acknowledgment to duplicate bugs for rewards. If a researcher submits a bug report hours after another researcher reported the same vulnerability, Mozilla will acknowledge both. Accordingly, Mozilla will divide the bounty money among both researchers. With this step, Mozilla tends to abandon their current ‘first reporter wins’ policy for bounty. As stated,

From now on, we will split the bounty between all duplicates submitted within 72 hours of the first report; with prorated amounts for higher quality reports.

Whereas, the researchers may also donate their bounty to charity if they wish.

You may also like