Mozilla has announced it is raising the bug bounties it pays for Firefox to $10,000.
Bug bounties are a popular way of encouraging developers and “white hats,” the term for ethical hackers that find and report vulnerabilities, to work with companies and test their products and services. Most major companies pay significant bounties for bugs that are reported to them. In many cases, white hats are able to make a full-time income off the bounties they collect.
According to Mozilla’s blog post, the company has made use of bug bounties since 2004, paying out some $965,750 between 2017 and 2019. While the average payout was $2,775, the most common amount was $4,000.
The company is making a number of changes to make the bounty program more accessible, while also splitting bounties among duplicate reports that are filed within 72 hours of the first report. This is being done in an effort to reward individuals who may have come in second or third by mere hours. In addition, the company is raising its payouts.
“Besides rewarding duplicate submissions, we’re clarifying our payout criteria and raising the payouts for higher impact bugs,” writes Mozilla’s Tom Ritter. “Now, sandbox escapes and related bugs will be eligible for a baseline $8,000, with a high quality report up to $10,000. Additionally, proxy bypass bugs are eligible for a baseline of $3,000, with a high quality report up to $5,000.“
Mozilla’s announcement will likely be a big motivation for white hats to continue finding and reporting bugs in Firefox.