Five years ago, Mozilla increased the payout for its Bug Bounty Program to $3,000 for anyone who found bugs that were rated high or critical. While this was a solid payout, Mozilla has decided to make some adjustments, now setting $3,000 as the minimum for any high or critical bug, with amounts going up substantially from there.
Along with payouts for major bugs and vulnerabilities, Mozilla will now start paying out for bugs it calls Moderate or medium. Before, these would not have qualified for the $3,000 payout, and would instead have received nothing. Now, Mozilla is adding a sliding scale where these medium bugs would get a payout somewhere between $500 to $2,500, depending on the severity of the bug in question.
On the high to critical side, $3,000 is now the minimum. A high-quality report of a high or critical bug will net the finder $5,000, and a clearly exploitable high or critical bug will get the person who discovers it $7,500. On the top end, bugs that Mozilla describes as a “novel vulnerability and exploit, a new form of exploitation or an exceptional vulnerability” will pay out $10,000 or more to the person who finds it.
Bugs in the highest range are going to be quite rare, and Mozilla will ultimately have the final discretion on whether a bug qualifies for the largest payout. The biggest change for the most people is probably going to come from the bugs on the low end, as these are more likely to be found by the average bug seeker.
Since the inception of this program, Mozilla claims to have already paid out over $1.6 million, and with these increased payouts at the high and low end of the spectrum, that amount is clearly going to increase substantially.