Security Bug Bounty Program

Introduction

The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us make the internet a safer place.

General Eligibility

To be eligible for a reward under this program:

  • The security bug must be original and previously unreported. Duplicate submissions within 72 hours will split the bounty between reporters. If duplicate submissions are of unequal quality, the split will be at the level of the lesser report, and the greater report will receive a pro-rated additional bounty on top of the split.
  • For issues in client applications, there is a seven-day grace period that begins when the vulnerability is checked into the primary source repository. If the issue is identified internally within those seven days, it is ineligible for a bounty, even if the issue is not recognized as a security vulnerability at time of first identification. If it lasts undiscovered for more than seven days, it becomes eligible for a bounty.
  • The security bug must be a part of Mozilla’s code, not the code of a third party. We will pay bounties for vulnerabilities in third-party libraries incorporated into shipped client code or third-party websites utilized by Mozilla.
  • You must not have written the buggy code or otherwise been involved in contributing the buggy code to the Mozilla project.
  • You must be old enough to be eligible participate in and receive payment from this program in your jurisdiction, or otherwise qualify to receive payment, whether through consent from your parent or guardian or some other way.
  • You must not be an employee, contractor, or otherwise have a business relationship with the Mozilla Foundation or any of its subsidiaries.
  • You should use your best effort not to access, modify, delete, or store user data or Mozilla’s data. Instead, use your own accounts or test accounts for security research purposes.
  • If you inadvertently access, modify, delete, or store user data, we ask that you notify Mozilla immediately at security@mozilla.org and delete any stored data after notifying us.
  • You should also use your best effort not to harm the availability or stability of our services, for example, by running aggressive scanning of those services. Instead, use a local development instance of the service that you want to test.
  • Whenever it is explicitly stated in our program scope, you are expected to test on the provided instances (e.g. staging) instead of production.
  • You must not be on a US sanctions list or in a country (e.g. Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, and Syria) on the US sanctions list.
  • You must not exploit the security vulnerability for your own gain.
  • Before sharing any part of the security issue with a third party, you must give us a reasonable amount of time to address the security issue.
  • All submissions will be covered under Mozilla's Website & Communications Terms of Use, granting us permission to make use of all submissions.
  • All questions regarding the status of bug bounties should be directed to security@mozilla.org and not added as comments on Bugzilla.
  • All submissions must also abide by Bugzilla's Etiquette Policy. Bugzilla may automatically disable accounts if too many bugs are submitted that get marked Invalid; if this happens you can contact security@mozilla.org; however, please be aware that too many invalid submissions may cause any valid bugs reported to receive reduced payouts. Please ask us for suggestions of how to improve your submission quality.

Bounties can be donated to charity, please indicate this in the bug when filing or by contacting security@mozilla.org.

Do not threaten or attempt to extort Mozilla. We will not award a bounty if you threaten to withhold the security issue from us or if you threaten to release the vulnerability or any exposed data to the public.

Safe Harbor

Mozilla strongly supports security research into our products and wants to encourage that research.

As a result, we will not threaten or bring any legal action against anyone who makes a good faith effort to comply with this Bug Bounty Program, or for any accidental or good faith violation of this policy. This includes any claim under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.

As long as you comply with this policy:

  • We consider your security research to be "authorized" under the Computer Fraud and Abuse Act,
  • We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.

We understand that many Mozilla systems and services are interconnected with third-party systems and services. While we can authorize your research on Mozilla’s systems and services, and promise that Mozilla will not bring or threaten litigation against you for your efforts under this policy, we cannot authorize efforts on third-party products or guarantee they won’t pursue legal action against you. However, if a third party threatens or brings any legal action against you for your efforts under this policy, we are willing to make clear—to the Court, the public, or otherwise--that we authorized your efforts to test and research the security of Mozilla’s eligible systems and services.

If you’re not sure whether your conduct complies with this policy, please contact us first at security@mozilla.org and we will do our best to clarify.

Web and Client

Mozilla manages two different bug bounty programs. One focuses on Firefox and other Mozilla applications and the other covers our websites and services.