The Mozilla Security Bug Bounty Program has been in effect for more than six years and includes products such as Firefox and its Thunderbird email client, but in a blog posting announcing the bounty payment increase, Mozilla also said it would extend the program, officially, to the Firefox mobile web browser and other interrelated Mozilla products, while increasing the bounty from $500 per bug to $3000.
Lucas Adamski, director of security engineering for Mozilla, said that payment of the bounty is not contingent on confidential disclosure of the flaws. The organization, however, would only pay out to researchers who disclosed flaws in a responsible manner that keeps the security of users in mind first, but it will not require that bugs be confidentially disclosed to be eligible for the reward.
“While Mozilla strongly encourages researchers to disclose bugs to us privately (and most researchers have), we also believe that researchers should ultimately retain control over when and how the details of their research are disclosed”, Adamski said in a blog posting.
“A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information”, Adamski added in the organization’s security blog.