Firefox Raises Bug Bounty Payouts
Written by Alex Armstrong   
Tuesday, 28 April 2020

Mozilla has updated its bug bounty policy to make it more appealing to security researchers. It has also launched a new website for security researchers, and Firefox bug bounty participants.

mozillaaanddbanner

In his inaugural post to the new  Attack & Defense blog Tom Ritter takes the opportunity to review the recent performance of the Firefox bug bounty program, which he notes began in 2004.

Between 2017-2019, Mozilla paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 – but as the graph shows the most common payout was $4,000:firefoxbbpayments

He also mentions that Mozilla added a new static analysis bounty to its Client Bug Bounty Program towards the end of 2019 in an attempt to encourage the community to use CodeQL tools for static analysis work that identifies present or historical flaws in Firefox.

With regard to latest updates to the bug bounty policy and payouts, they are designed to reflect the more hardened security stance Mozilla adopted after moving to a multi-process, sandboxed architecture. Ritter writes:

Firstly, we’re amending our current policy to be more friendly and allowing duplicate submissions. Presently, we have a ‘first reporter wins’ policy, which can be very frustrating if you are fuzzing our Nightly builds (which we encourage you to do!) and you find and report a bug mere hours after another reporter. From now on, we will split the bounty between all duplicates submitted within 72 hours of the first report; with prorated amounts for higher quality reports. We hope this will encourage more people to fuzz our Nightly ASAN builds.

Increased payouts should also provide security researchers with an incentive to become involved. Sandbox escapes and related bugs will be now eligible for a baseline $8,000, with a high quality report up to $10,000.  Additionally, proxy bypass bugs are eligible for a baseline of $3,000, with a high quality report up to $5,000.

Pointing out that most payouts made by Mozilla are above the baseline, Ritter explains:

a bounty amount is not determined based on your initial submission. but rather on the outcome of the discussion with developers. So improving test cases post-submission, figuring out if an engineer’s speculation is founded or not, or other assistance that helps resolve the issue will increase your bounty payout.

The new website will also host guides on testing different parts of Firefox and two such articles by Frederik Braun, Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs and Remote Code Execution in Firefox beyond memory corruptions have already been reposted to it.   mdnsq

Banner


The University of Tübingen's Self-Driving Cars Course
22/03/2024

The recorded lectures and the written material of a course on Self-Driving Cars at the University of Tübingen have been made available for free. It's a first class opportunity to learn the in an [ ... ]



GR00T Could Be The Robot You Have Always Wanted
27/03/2024

We may not have flying cars, but we could well soon have robots that match up to predictions for the 21st century. Nvidia has announced GR00T, a cleverly named project to build robots using foundation [ ... ]


More News

Last Updated ( Tuesday, 28 April 2020 )