You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



Mozilla Security Bug Bounty FAQ

Introduction

This FAQ attempts to answer various questions about the Mozilla security bug bounty program sponsored by the Mozilla Foundation. For more information see the original announcement and the official guidelines governing the program.

General questions

Eligible software

Eligible bugs

Bug reporting, etc.

General questions

Why is the Mozilla Foundation doing this?

Because we want to encourage more people to find and report security bugs in our products, so that we can make our products even more secure than they already are. It's as simple as that.

Is this related to the Netscape bugs bounty program?

No. This program is a completely independent initiative sponsored and run by the Mozilla Foundation.

Are Mozilla developers eligible for the bug bounty reward?

Yes. Anyone is eligible to receive a reward except for Mozilla Foundation employees and the creators and reviewers of the code in which the bug was found. However, as noted in the policy, if you found this bug as part of your job (in other words, while being paid to work on Mozilla) then we'd appreciate it if you would not apply for the bounty, in order to preserve our limited funds for rewarding volunteer contributors.

Eligible software

Can I get the bug bounty reward if I discover a bug in Camino, Galeon, K-Meleon, Netscape 7, or other products based on Mozilla code?

Only if we can reproduce the problem in the most recent version of the Mozilla Suite, Firefox, and/or Thunderbird.

Does the bug bounty cover bugs found in Bugzilla, Tinderbox, Bonsai, and other software created and distributed as part of the Mozilla project?

No. We have decided to use our limited resources to focus on our end-user products, as opposed to the other software produced and used by the Mozilla project.

What do you mean by the "most recent version" of the Mozilla Suite, Firefox, and/or Thunderbird?

In general we mean the releases available for download on the mozilla.org download page at the time the bug was reported. However we will also consider paying rewards for security bugs found in development releases (i.e., alpha, beta, and nightly releases) and select older releases, as discussed in the questions and answers below.

Can I get the bug bounty reward if I discover a bug in an older release of the Mozilla Suite, Firefox, and/or Thunderbird?

In general bugs found in earlier releases are eligible for a reward only if we can reproduce the problem using the most recent version.

However as a special exception we will also consider paying rewards for bugs found in the most recent releases from designated stable branches (e.g., from the Mozilla 1.7 branch after 1.8 is released) if the bugs are not present in the most recent version but were never recognized and fixed as security bugs. (For example, the bug might be in code associated with a feature that was removed and/or heavily modified in the most recent version, and might have been "fixed" solely as a byproduct of other unrelated changes.)

Can I get the bug bounty reward if I discover a bug in an alpha or beta release or a nightly build of the Mozilla Suite, Firefox, and/or Thunderbird?

Yes, as long as the bug otherwise meets the published bug bounty program guidelines. (In particular, the bug must be reproducible in the latest nightly build and not previously reported.)

Can I get the bug bounty reward if I discover a bug that occurs in a third-party release of the Mozilla Suite, Firefox, and/or Thunderbird (e.g., a localized build, optimized build, or third-party Mozilla, Firefox, or Thunderbird distribution)?

Yes, if the bug can be reproduced in an official Mozilla Foundation release and otherwise meets the published guidelines.

Can I get the bug bounty reward if I discover a bug that occurs only on a particular operating system?

Yes, if the operating system is officially supported by the most recent version of the product for which you're reporting the bug. (For a list of supported operating systems and hardware configurations see the system requirements for the Mozilla Suite, Firefox, and Thunderbird.)

Eligible bugs

What types of security bugs do you consider to be "critical"?

In general we consider critical security bugs to be those that allow execution of arbitrary code on users' systems or that otherwise allow access to users' confidential information. In the latter case we consider bugs to be critical only if they potentially expose high-value personal information (e.g., passwords, credit card numbers, and the like); in the context of the bug bounty program we do not consider bugs to be critical if they potentially expose only lower-value information (e.g., browsing history) or information that would be useful primarily for other exploits (e.g., the names of files or directories on the user's system).

Finally, in general we do not consider bugs that allow denial of service attacks to be critical in the sense described above.

Why won't you provide a reward for denial of service bugs?

Because DoS bugs are generally less serious than other security bugs (e.g., they typically do not lead to corruption or destruction of user data, much less theft of data), and in many cases a DoS attack does not involve an actual bug but simply misuse of standard product features (e.g., putting up a web site with an excessive number of graphics, sending excessively long mail messages, etc.). We have decided to concentrate our limited resources on rewarding people who find what we consider to be more serious security problems.

Bug reporting, etc.

I've already published information about the bug, and didn't go through the Mozilla bug process; can I still get a reward?

Yes, as long as the bug report occurred after the official announcement of the bug bounty program on August 2, 2004, and otherwise meets the published bug bounty program guidelines (e.g., the bug has not been reported previously and is reproducible in the most recent version of the affected product).

However we do encourage people to report bugs directly to the Mozilla project, in order to ensure that the bug is made known as soon as possible to the people who can fix it.

If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).

I don't have the time or desire to work with you further in investigating and fixing the bug; can I still get a bug bounty reward?

Yes. Again, we're rewarding you for finding a bug, not trying to buy your cooperation. However we do invite you to work together with us, and we hope that you'll accept that offer in the spirit in which it was intended. In return you'll get the opportunity to work as a full member of the team fixing your bug and see "from the inside" exactly how Mozilla security bugs get resolved.