author photo
By Bruce Sussman
Thu | Nov 21, 2019 | 7:51 AM PST

It was just last month that Mozilla Firefox was declared the most secure web browser.

And a new announcement by the company should help keep it that way.

Mozilla bug bounty program increasing payouts

Mozilla posted this announcement on its Security Blog:

"We are doubling all web payouts for critical, core and other Mozilla sites as per the Web and Services Bug Bounty Program page. In addition we are tripling payouts to $15,000 for Remote Code Execution payouts on critical sites!"

The company is also adding additional products to the bug bounty program, which will drive the security of Firefox and more:

  • Autograph – a cryptographic signature service that signs Mozilla products
  • Lando – Mozilla's new automatic code-landing service which allows us to easily commit Phabricator revisions to their destination repository
  • Phabricator – a code management tool used for reviewing Firefox code changes
  • Taskcluster – the task execution framework that supports Mozilla's continuous integration and release processes (promoted from core to critical)

"We hope the new sites and increased payments will encourage you to have another look at our sites and help us keep them safe for everyone who uses the web."

This is in addition to core Mozilla products already covered by the bug bounty program. 

How bug bounty programs are changing the threat landscape

This is interesting timing, because we recently interviewed the leader of the Zero Day Initiative, which is the world's largest vendor agnostic bug bounty program.

"The impact is significant, if you think about it. Every patch that is coming out, especially when it comes to enterprise software and operating systems, it is being fed by bug bounty programs," says Brian Gorenc, Director of the Zero Day Initiative.

"The community is coming together to make sure the vendors are actually releasing patches for these bugs and as a result the attack surface shifts and changes."

We interviewed Gorenc at a SecureWorld cybersecurity conference. You can listen to our full interview on the SecureWorld Sessions podcast: