Mozilla, the maker of the Firefox browser, has announced it is doubling its top bug bounty rewards payouts following reward increases offered not just by Google, Microsoft and Apple, but exploit brokers.
Mozilla was one of the first organizations to offer rewards for researchers who reported security bugs in Firefox, offering its first payouts in 2004 — six years before Google launched the Chrome Vulnerability Reward Program.
“To celebrate the 15 years of the 1.0 release of Firefox, we are making significant enhancements to the web bug bounty program,” said Mozilla’s Simon Bennetts.
Bug bounties by Microsoft and Google today pay out millions of dollars per year to security researchers and in the past year both firms have multiplied top rewards by as much as triple: Google in July doubled its top payout to USD$30,000; a month later Microsoft doubled its top reward to $40,000.
The last time Mozilla doubled its top bounty for Firefox flaws was back in 2015, bumping it from $3,000 to $7,500, but its program hasn’t evolved as quickly crowdsourced bug-finding programs from Google or Microsoft.
Mozilla will be will be tripling payouts to $15,000 for remote code execution (RCE) vulnerabilities on critical sites to $15,000. These includes sites like Add-ons, Bugzilla, Firefox Accounts, and Firefox Sync. RCE on "core" sites, which include the new Firefox Monitor data breach alert service, will now be rewarded up to $5,000 per validated report.
The new rewards schedule could help Mozilla draw attention from hackers who’ve been focussed on higher rewards from better-funded organizations.
In the years since Mozilla last updated its rewards structure, newer managed bug bounty programs have emerged from the likes of HackerOne, Bugcrowd and others.
Additionally, new business models that crowdsource security talent for exploitation purposes have popped up, such as Zerodium — a broker that buys previously undisclosed security flaws and trades them with buyers, such as government agencies.
Today, the highest rewards go to hackers who can break the defenses of mobile operating systems. Apple as of 2019 offers $1 million for an attacker who can hack an iPhone. Zerodium offers $2 million for the best iOS exploits and as of September $2.5 million for Android exploits.
The new “core sites” in Mozilla’s bug bounty program include Firefox Monitor, Localization, Payment Subscription, Firefox Private Network, Ship It, and Speak to me.
“The new payouts have already been applied to the most recently reported web bug,” said Bennetts.
“We hope the new sites and increased payments will encourage you to have another look at our sites and help us keep them safe for everyone who uses the web.”