Along with payouts for major bugs and vulnerabilities, Mozilla will now start paying out for bugs it calls Moderate or medium. Before, these would not have qualified for the $3,000 payout, and would instead have received nothing. Now, Mozilla is adding a sliding scale where these medium bugs would get a payout somewhere between $500 to $2,500, depending on the severity of the bug in question.
On the high to critical side, $3,000 is now the minimum. A high-quality report of a high or critical bug will net the finder $5,000, and a clearly exploitable high or critical bug will get the person who discovers it $7,500. On the top end, bugs that Mozilla describes as a “novel vulnerability and exploit, a new form of exploitation or an exceptional vulnerability” will pay out $10,000 or more to the person who finds it.
Bugs in the highest range are going to be quite rare, and Mozilla will ultimately have the final discretion on whether a bug qualifies for the largest payout. The biggest change for the most people is probably going to come from the bugs on the low end, as these are more likely to be found by the average bug seeker.
Since the inception of this program, Mozilla claims to have already paid out over $1.6 million, and with these increased payouts at the high and low end of the spectrum, that amount is clearly going to increase substantially.
