BOOK THIS SPACE FOR AD
ARTICLE ADJohn Leyden 19 August 2020 at 14:14 UTC
HTML Sanitizer check
Mozilla has extended its well-established bug bounty program to offer rewards for the discovery of flaws in its exploit mitigation technology.
The new Exploit Mitigation Bounty will offer payouts of up to $10,000 to ethical hackers who work out mechanisms to defeat the exploit mitigation and defense-in-depth measures that are built into the Firefox web browser.
Payouts will occur even for bugs in exploit mitigation that depend on privileged access – a factor that previously would have ruled out any reward.
Exploit mitigation bugs that work without relying on privileged access will be eligible for a 50% bonus.
“While previously, bypassing a mitigation in a testing scenario – such as directly testing the HTML Sanitizer – would be classified as a sec-low or sec-moderate, it will now be eligible for a bounty equivalent to a sec-high,” Mozilla explains in a blog post.
Read more of the latest web browser security news
“Additionally, if the vulnerability is triggerable without privileged access, this would count as both a regular security vulnerability eligible for a bounty and a mitigation bypass, earning a bonus payout.”
Another change, also announced on August 18, sees the introduction of a policy to pay out on security bugs discovered by external researchers in the pre-release Nightly versions of Firefox, after a four-day grace period.
“We still want to encourage bounty hunting on Nightly – even if other bounty programs don’t – but issuing bounties for obvious transient issues we find ourselves is not improving the state of Firefox security or encouraging novel fuzzer improvements,” Mozilla explained.
Restructuring
The latest changes follow a major revamp to Mozilla’s bug bounty program back in April that offered higher payouts and ditched the previous ‘first reporter wins’ policy in favor of shared financial rewards.
Earlier this month, the Firefox-maker announced a restructuring plan that will result in the loss of 250 jobs.
Mozilla’s Mitchell Baker blamed “economic conditions resulting from the global pandemic have significantly impacted our revenue” for the losses.
The Daily Swig asked Mozilla to comment on how the restructuring might affect its bug bounty strategy, but we’re yet to hear back. We’ll update this story as and when more information comes to hand.
READ MORE Google launches grand experiment with URL presentation in Chrome 86