Mozilla offers up to $10,000 to security bug hunters

Bounty hunters can make a killing if they uncover security problems with software. There are lots of companies who will pay out in cold, hard cash to anyone who managed to unearth security vulnerabilities, and Mozilla has announced that it is increasing its top level bounty.

The company is appealing to white hat hackers and security experts to help plug holes in its software, and it is willing to cough up for it. Mozilla's security program had already paid out $1.6 million over the years, and the Client Bug Bounty Program has just been updated so that maximum payout is now $10,000.

There are, of course, a few caveats. Any bug that is reported must be unique if it is to qualify for the bounty payout, and the bug "must be a remote exploit, the cause of a privilege escalation, or an information leak." To prevent the risk of sabotage, code writers are exempt from reporting problems with their own buggy code, and Mozilla Foundation employees are not eligible to submit reports.

Of course, not all reports of security issues will result in a payout, but the top rate has now more than tripled. The previous maximum had been $3,000, and this has now been upped to $10,000, and Mozilla has outlined details of the bounties for different types of vulnerability.

The lowest grade is classed as "medium vulnerability" and will pay out $500-$2500, while the minimum payout for a "high or critical vulnerability" is $3,000. Detail is everything and if you submit a "high quality bug report of a critical or high vulnerability" the payout stands at $5,000; provide details of a "high quality bug report with clearly exploitable critical vulnerability" and you could be in line for a $7,500 reward. The top rate of $10,000 is reserved for a "novel vulnerability and exploit, new form of exploitation or an exceptional vulnerability."