Mozilla announced this week that it has expanded its bug bounty program with a new category that focuses on bypass methods for the exploit mitigations, security features, and defense-in-depth measures implemented in the Firefox browser.
In the past, Mozilla classified mitigation bypasses as low- or moderate-severity issues, but now the organization is going include them is a specific category of bugs eligible for a reward.
The initiative is part of the new Exploit Mitigation Bug Bounty initiative.
“Within Firefox, we have introduced vital security features, exploit mitigations, and defense in depth measures. If you are able to bypass one of these measures, even if you are operating from privileged access within the browser, you are eligible for a bounty.” reads the announcement published by Mozilla.
Bypass mitigation with privileged access can be paid up to $5,000 in case of submission of a high-quality report.
Mozilla explained that if the mitigation is bypassed without privileged access, for example by chaining more than one vulnerability, the researchers will receive a reward for the vulnerability and a 50 percent bonus for the mitigation bypass.
The payout for valid potentially exploitable critical and high security rated client security flaws will range between $3,000 (USD) and $10,000 cash reward. The bounty depends on the impact of the flaw and the quality of the report provided by the researchers.
“The bounty program encourages the earliest possible reporting of potentially exploitable bugs. A bounty is not determined based on the initial submission, but rather on the outcome of the discussion with developers.” continues the announcement. “Improving test cases post-submission, figuring out if an engineer’s speculation is founded or not, or other assistance that helps resolve the issue will increase your bounty payout.”
Mozilla continues to encourage researchers to reports vulnerabilities in the Firefox Nightly solution, the testing and development version of the browser.
Below the list of the mitigations covered by the Exploit Mitigation Bug Bounty:
The mitigations we consider in scope for this bounty are:
(SecurityAffairs – hacking, Mozilla)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.