Program overhaul driven by migration to ‘multi-process, sandboxed architecture’
UPDATED Mozilla is raising payouts for the highest impact security flaws found in Firefox and related projects as part of a bug bounty revamp guided by its “more hardened security stance”.
In an effort to make the policy “more friendly”, the open source browser developer has also clarified payout criteria, and abandoned a “first reporter wins” approach to payouts in favor of sharing the spoils among duplicate reporters.
The non-profit said it would also continue publishing explainers aimed at newbie Firefox testers following its December 2019 post on how HTML sanitization prevents UXSS.
“After adding a new static analysis bounty late last year, we’re excited to further expand our bounty program in the coming year, as well as provide an on-ramp for more participants,” said Mozilla’s Tom Ritter in a post published yesterday (April 23).
“We’re updating our bug bounty policy and payouts to make it more appealing to researchers and reflect the more hardened security stance we adopted after moving to a multi-process, sandboxed architecture.”
Ritter said the previous policy of awarding an entire bounty to the first researcher to report a bug is “very frustrating if you are fuzzing our Nightly builds (which we encourage you to do!) and you find and report a bug mere hours after another reporter.”
The spoils will now be split “between all duplicates submitted within 72 hours of the first report; with prorated amounts for higher quality reports. We hope this will encourage more people to fuzz our Nightly ASAN builds.”
The highest impact bugs – UXSS, sandbox escapes, and bypassing WebExtension install prompts – are now eligible for a baseline $8,000 payout, with high quality reports potentially earning up to $10,000.
A Mozilla spokesperson told The Daily Swig that, previously, “the typical range for severe bugs was $3,000 to $5,000 USD, with higher payouts being rare.”
A new bug class for proxy bypass flaws, meanwhile, will have a $3,000 payout baseline and $5,000 ceiling.
Asked what they hoped to achieve from the various changes, the Mozilla spokesperson said: “We hope to have lowered the barrier to entry by providing security researchers with guided help on how to test the most critical parts of Firefox as well as by giving more guidance on what we would like to see in reports.
“This way, we hope to attract more people to the program overall, especially with regard to fuzzing our Nightly browser.”
Mozilla, whose bug bounty program launched in 2004, revealed that the average payout between 2017-2019 was $2,775.
Overall, the browser-maker has paid out $965,750 for the disclosure of 348 bugs over the three-year period.
In November 2019, Mozilla doubled web payouts for vulnerabilities impacting critical services and core sites, while tripling payouts for remote code execution (RCE) bugs on critical sites.
The elevated payout tiers reflect rising payouts across the sector, with payouts for critical flaws on HackerOne – the world’s biggest bug bounty platform – nearly doubling to $3,384 last year.
The announcement was also published on Mozilla’s new Attack & Defense blog aimed at engineers, security researchers, and bug bounty hunters.
This article was updated on April 27 with comment from Mozilla.