Mozilla has expanded its bug rewards program to include security vulnerabilities discovered on its Websites.
“Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security,” blogged Chris Lyon, director of infrastructure security at Mozilla. “We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web application vulnerabilities on selected sites.
“We are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities,” Lyon wrote.
The move by Mozilla follows a similar one made by Google earlier this year. Mozilla’s program covers a dozen sites. The list doesn’t include all of Mozilla’s Web properties, but the company plans to add to it moving ahead. The sites currently involved in the program include bugzilla.mozilla.org, www.mozilla.com/org and www.firefox.com.
The new policy went into effect today. For more information about what Websites are covered, click here.