Mozilla raises bounty for security bugs to $3,000

The reward for finding eligible security vulnerabilities will increase from $500, and the program extended to cover more Mozilla software

Mozilla, the organization behind the Firefox Web browser, has upped the amount it will pay security researchers for information on security bugs in its products from $500 to $3,000.

The change is part of what Mozilla calls a refresh of its Security Bug Bounty Program, which launched in 2004.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

"A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," wrote Lucas Adamski, director of security engineering, in a blog post.

Mozilla has also expanded the scope of the reward program, which will continue to apply to Firefox and the Thunderbird email client, and also to the Firefox mobile browser and other services the products rely on. Release and beta products are also eligible.

"These are products we have traditionally paid bounties for in a discretionary basis anyway, but we wanted to make that explicit," Adamski wrote.

Mozilla can deny a reward to a researcher, however, if the organization deems the person has not acted in the best interests of users, Adamski wrote.

Other parts of the program will be retained, however. A reward will still be paid even if a researcher has published information on the vulnerability or if the researcher doesn't have time to work closely with Mozilla's security team.

Send news tips and comments to jeremy_kirk@idg.com.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies