Article

Mozilla extends bug bounty to Web application vulnerabilities

Kathleen Kriz, Contributor

Mozilla has announced that it is extending its bug bounty program to include critical Web application vulnerabilities found in a dozen of

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

its websites.

We want to encourage the discovery of security issues within our Web applications with the goal of keeping our users safe.

Chris Lyon,
director of infrastructure securityMozilla Corp.

The bounty program previously offered a cash reward for critical Web application vulnerabilities on end-user products like Firefox, Firefox mobile and Thunderbird. Mozilla will pay vulnerability hunters $500 to $3,000 for uncovering flaws, depending on their severity.

"We want to encourage the discovery of security issues within our Web applications with the goal of keeping our users safe," wrote Chris Lyon, director of infrastructure security, in the Mozilla blog on Tuesday. " We also want to reward security researchers for their efforts with the hope of furthering constructive security research."

Previously, Mozilla paid sums of $3,000 for only the most serious flaws, but now Mozilla is following search engine giant Google Inc. by including Web applications on its websites and offering rewards based on the severity of the flaws found; the more serious the threat, the greater the reward.

The bounty will cover Web applications and an extensive list of sites including the main Mozilla homepage, Bugzilla and Firefox.com. Mozilla has announced that cross-site scripting (XSS) and cross-site request forgery (CSRF) are among some of the Web vulnerabilities included in the program.

Researchers are encouraged to download open source code for the Web applications to look for problems instead of using automated tools on the site that could affect Mozilla's ability to keep the sites running well.

Security bugs that are determined critical are those that allow any implementation of arbitrary code on systems. Those considered high-severity bugs gain access to a user's sensitive information, such as passwords and credit card information. Bugs that will not be included with this expansion of the bounty are those that expose low-value information, such as a user's browsing history or file names.

Mozilla said nothing else has changed in the original bounty program they released in July.