Mozilla ups bug bounty rewards to $15,000 on critical sites
Bug bounty researchers probing for vulnerabilities in Mozilla software now will be tempted with more cash after the browser-maker doubled most of its rewards and expanded the list of targets.
In a blog post Tuesday, Mozilla said it’s marking the 15-year anniversary of its Firefox browser by dedicating a higher budget to its bounty program. Rewards for critical, core and other Mozilla sites are doubled, while remote code-execution vulnerabilities now are worth up to $15,000 on critical sites. Meanwhile, Mozilla also is asking researchers to try hacking its Autograph cryptography service, its Lando code repository tool, the Phabricator, which reviews code changes in Firefox, and Taskcluster, the framework for continuous integration, among others.
“We hope the new sites and increased payments will encourage [researchers] to have another look at our sites and help us keep them safe for everyone who uses the web,” Simon Bennetts, a security automation engineer, said in the announcement.
The increase comes amid ongoing interest in bug bounty programs as a failsafe that corporate security teams, particularly in the technology sector, utilize to identify any flaws internal staffers may have missed. By offering rewards through vetted brokers, firms like Apple, Intel and GM hope to plug any holes that could provide malicious outsiders with a way into their networks.
Political gamesmanship also seems to be more of a factor in rewards decisions, at least for Huawei. The Chinese telecommunication firm that U.S. national security officials warn could operate under Beijing’s sway said last week it would offer up to $220,000 to researchers who uncover “critical” vulnerabilities in one of its Android devices. The big prize will go to hackers who show they can remotely access a device without clicking anything, while easier-to-score goals can fetch up to $110,000, according to Forbes.