You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

Mozilla Security Bug Bounty Program


The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. Reporters of valid critical security bugs will receive a $500 (US) cash reward and a Mozilla T-shirt.

Many thanks to Linspire and Mark Shuttleworth for providing start-up funding for this endeavor. Mark Shuttleworth has issued a challenge grant to support this initiative. Please make a donation today. Your tax-deductible contribution will be matched dollar for dollar, up to $5000, by Mark Shuttleworth.

Reward Guidelines

The bounty will be awarded for critical security bugs that meet the following criteria:

  • Security bug must be original and previously unreported.
  • Security bug must be a remote exploit.
  • Security bug is present in the most recent supported version of Firefox, and/or Thunderbird, as released by the Mozilla Corporation.
  • Security bugs in or caused by additional 3rd-party software (e.g. Java, plugins, extensions) are excluded from the Bug Bounty program.
  • Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
  • Mozilla Foundation and Corporation employees are ineligible.

If you found the security bug as part of your job (in other words, while being paid to work on Mozilla code) then we would appreciate your not applying for the bounty. Our funds are limited and we would like this program to focus on people who are not otherwise paid to work on the Mozilla project.

If two or more people report the bug together the $500 reward will be divided among them.


Please file a bug describing the security bug; be sure to check the box near the bottom of the entry form that marks this bug report as confidential. We encourage you to attach a "proof of concept" testcase or link to the bug report that demonstrates the vulnerability. While not required, such a testcase will help us judge submissions more quickly and accurately.

Notify the Mozilla Security Group by email and include the number of the bug you filed and a brief summary. If you cannot file a bug include the full details in the email and attach any proof of concept testcases or links. Mozilla Foundation staff and the Mozilla Security Group will consider your submission for the Security Bug Bounty and will contact you.

We ask that you be available to provide further information on the bug as needed, and invite you to work together with Mozilla engineers in reproducing, diagnosing, and fixing the bug. As part of this process we will provide you full access to participate in our internal discussions about the bug; for more information read our policy for handling security bugs.

More information about this program can be found in the Security Bug Bounty Program FAQ.