The change is part of what Mozilla calls a refresh of its Security Bug Bounty Program, which launched in 2004.
"A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," wrote Lucas Adamski, director of security engineering, in a blog post.
Mozilla has also expanded the scope of the reward program, which will continue to apply to Firefox and the Thunderbird email client, and also to the Firefox mobile browser and other services the products rely on. Release and beta products are also eligible.
"These are products we have traditionally paid bounties for in a discretionary basis anyway, but we wanted to make that explicit," Adamski wrote.
Mozilla can deny a reward to a researcher, however, if the organization deems the person has not acted in the best interests of users, Adamski wrote.
Other parts of the program will be retained, however. A reward will still be paid even if a researcher has published information on the vulnerability or if the researcher doesn't have time to work closely with Mozilla's security team.
Send news tips and comments to firstname.lastname@example.org.