Mozilla has extended its security bug bounty program to also reward the discovery of Web vulnerabilities like cross-site scripting (XSS), SQL injection (SQLi) or cross-site request forgery (CSRF), in its websites.Mozilla's vulnerability reward program, one of the first of its kind, was originally limited to only critical vulnerabilities found in Firefox and Thunderbird, for which it paid $500.
The company raised the bounty this summer at $3,000 to better reflect the economic times and extended the program's reach to vulnerabilities in Firefox Mobile and other services that could impact its products.
"Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security," says Chris Lyon, Mozzila's director of infrastructure security.
"We are now going to include critical and high severity web application vulnerabilities on selected sites," he announces.
The list of sites covered is quite large and includes the add-ons repository (addons.mozilla.org), the official bug tracker (bugzilla.mozilla.org), the download website (download.mozilla.com), but also mozilla.com and .org, www.firefox.com, www.getfirefox.com, getpersonas.com, *.services.mozilla.com, services.addons.mozilla.org, versioncheck.addons.mozilla.org, pfs.mozilla.org and aus*.mozilla.org.
The program is also generous with type of vulnerabilities that qualify for rewards. For example reflected XSS and TLS failures, which are quite common, are rewarded with $500.
Meanwhile, critical flaws like persistent XSS, CSRF, code injection (SQLi, RFI, LFI), as well as session management and authentication weaknesses that lead to account compromise, can earn bug hunters up to $3,000.
There are, however, rules and one of them bans the use of automated tools. Researchers are advised to search for vulnerabilities manually or download the open source Mozilla Web code and run it on their own test servers.
The vulnerability reporting is done through Bugzilla and follows the system's official guidelines. The company would also appreciate an email to firstname.lastname@example.org with the ID of the newly created bug reports.
Researchers are not under any obligation to help Mozilla fix the security issues or keep quite about them, however, giving developers a reasonable amount of time to address them is appreciated. A more extensive FAQ about the program is available here.