From ae2101d6621cbe0b99b6747beb89bcf19e17d9e5 Mon Sep 17 00:00:00 2001
From: Tom Ritter <tom@ritter.vg>
Date: Thu, 4 Jun 2026 16:04:09 -0400
Subject: [PATCH] Bug Bounty Policy Changes

 - Half memory corruption payouts
 - Clarify that UXSS requires an uncompromised content process
 - Remove the static analysis bug bounty
---
 .../templates/security/bug-bounty/faq.html    |   1 +
 .../templates/security/client-bug-bounty.html | 135 ++++++++----------
 media/css/security/client-bug-bounty.scss     |   3 +-
 3 files changed, 61 insertions(+), 78 deletions(-)

diff --git a/bedrock/security/templates/security/bug-bounty/faq.html b/bedrock/security/templates/security/bug-bounty/faq.html
index 299babc8c9d..e7121b32f45 100644
--- a/bedrock/security/templates/security/bug-bounty/faq.html
+++ b/bedrock/security/templates/security/bug-bounty/faq.html
@@ -269,6 +269,7 @@ <h2>Eligible bugs</h2>
         users now have a sandboxed GPU process, and we are working on enabling
         it for all users whether or not additional vulnerabilities are found.</p>
     </dd>
+
   </dl>
 
   <h2>Bug reporting, etc.</h2>
diff --git a/bedrock/security/templates/security/client-bug-bounty.html b/bedrock/security/templates/security/client-bug-bounty.html
index 153c4ebe74a..9e2057676aa 100644
--- a/bedrock/security/templates/security/client-bug-bounty.html
+++ b/bedrock/security/templates/security/client-bug-bounty.html
@@ -23,7 +23,7 @@ <h2 id="intro">Introduction</h2>
 
   <p>The Mozilla Client Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet software in existence.</p>
 
-  <p><strong>Guidelines:</strong> Our <a href="{{ url('security.bug-bounty') }}">general eligibility requirements</a> apply to the Client Bug Bounty Program. Submissions must be either a <a href="#static-analysis-bounty">static analysis submission</a>, <a href="#exploit-mitigation-bounty">exploit mitigation bypass</a> or a <a href="#security-vulnerability-bounty">security bug</a> demonstrating the ability to perform an unauthorized action or obtain access to otherwise-restricted information. We recommend that you read our <a href="{{ url('security.bug-bounty.faq') }}">Frequently Asked Questions</a> before submitting.</p>
+  <p><strong>Guidelines:</strong> Our <a href="{{ url('security.bug-bounty') }}">general eligibility requirements</a> apply to the Client Bug Bounty Program. Submissions must be either a <a href="#security-vulnerability-bounty">security bug</a> demonstrating the ability to perform an unauthorized action or obtain access to otherwise-restricted information or an <a href="#exploit-mitigation-bounty">exploit mitigation bypass</a>. We recommend that you read our <a href="{{ url('security.bug-bounty.faq') }}">Frequently Asked Questions</a> before submitting.</p>
 
   <h2 id="security-vulnerability-bounty">Security Vulnerability Bounty</h2>
 
@@ -41,23 +41,16 @@ <h2 id="security-vulnerability-bounty">Security Vulnerability Bounty</h2>
 
   <h4 id="security-vulnerability-amounts">Rewards Amount</h4>
 
-  <p>The bounty for valid potentially exploitable critical and high security rated client security vulnerabilities will be between $20,000 and $3,000 (USD) cash reward, depending on the impact of the vulnerability and the quality of the report, as detailed below.</p>
+  <p>The bounty for valid potentially exploitable critical and high security rated client security vulnerabilities will be up to a $20,000 cash reward, depending on the impact of the vulnerability and the quality of the report, as detailed below.</p>
+
+  <p>The bounty program encourages the <u>earliest possible reporting</u> of potentially exploitable bugs. A bounty <u>is not determined based on the <i>initial</i> submission</u>, but rather on the outcome of the discussion with developers. Improving test cases post-submission, figuring out if an engineer's speculation is founded or not, or other assistance that helps resolve the issue <i>will</i> increase your bounty payout. <u>However</u>, words have dminishing returns, and excessive comments (typically AI-generated) decrease the value of the report. Reproduction testcases provide more value than descriptions. Additionally, a report should not have severity keywords set or include CVSS scores.</p>
+
+  <p>Typically bounties are not paid for issues which cannot be identified/fixed from the report. While we do adhere to a first reporter-rule (with a 48-hour collision window), exceptions are made for reports that are not actionable and require additional information provided by another party. </p>
 
-  <p>The bounty program encourages the <u>earliest possible reporting</u> of potentially exploitable bugs. A bounty <u>is not determined based on the <i>initial</i> submission</u>, but rather on the outcome of the discussion with developers. Improving test cases post-submission, figuring out if an engineer's speculation is founded or not, or other assistance that helps resolve the issue <i>will</i> increase your bounty payout.</p>
 
   <p><b>Baseline Report</b></p>
   <ul class="mzp-u-list-styled">
-    <li>Sufficient information to diagnose the vulnerability and produce a fix.  Examples:</li>
-    <ul class="mzp-u-list-styled">
-      <li>ASAN Stacktrace or Crash Dump (typically for Memory Trespassing/Corruption) including a testcase that reproduces that output</li>
-      <li>Trigger point (for UXSS)</li>
-    </ul>
-    <li>Notes:</li>
-    <ul class="mzp-u-list-styled">
-      <li>Typically bounties are not paid for issues which cannot be identified/fixed from the report.</li>
-      <li>While we do adhere to a first reporter-rule (with a 48-hour collision window), exceptions are made for reports that are not actionable and require additional information provided by another party.</li>
-      <li>A report should not have severity keywords set or include CVSS scores or CWEs.</li>
-    </ul>
+    <li>A baseline report must contain a a simple and reproducible test case - for memory corruption submissions specifically, this should trigger in an Address Sanitizer build.</li>
   </ul>
 
   <p><b>High Quality Report</b></p>
@@ -67,14 +60,14 @@ <h4 id="security-vulnerability-amounts">Rewards Amount</h4>
     <ul class="mzp-u-list-styled">
       <li>(for memory corruption) demonstrated control over the PC or memory read/write location, with documentation for how it is achieved</li>
       <li>a root cause analysis of where the bug is located</li>
-      <li>a proof of concept that reproduces the vulnerability, easily integrated into our test suite</li>
+      <li>a bisection that identifies when the vulnerability was introduced or when it became triggerable</li>
+      <li>a patch that resolves the issue such that the reproduction no longer triggers (this patch need not be the final one we land, but an example that mitigates the vulnerability can be illustrative in better understanding it)</li>
     </ul>
     <li>Submissions that include some aspects of a high quality report will qualify for a bounty between the minimum and maximum.</li>
     <li>Notes:</li>
     <ul class="mzp-u-list-styled">
       <li>A bug that is limited in capability may meet all the criteria for a High Quality report, but will merit a lower payout because of its limited capability. An example would be a sandbox escape that does not allow arbitrary code execution, but does allow arbitrary files to be read from the filesystem.</li>
       <li>Developing a full exploit is not required for a High Quality Report.</li>
-      <li>The intent of the proof of concept is to enable us to create a test that we can integrate into our test coverage.  We encourage you to submit the bug immediately, and if you wish to meet this criteria, ask what will qualify.  For assertion/crash-based tests it is usually sufficient to provide a minimal reproducing html or js file. For more complicated bugs, we would ask you to develop the POC into an actual test (e.g. gtest, xpcshell, mochitest) which we can provide some mentorship for.</li>
     </ul>
   </ul>
 
@@ -89,52 +82,70 @@ <h4 id="security-vulnerability-amounts">Rewards Amount</h4>
   <tbody>
     <!-- ========================================================= -->
     <tr>
-      <td>Highest Impact
+      <td>Highest Impact</td>
+      <td></td>
+      <td></td>
+    </tr>
+    <tr class="bullet">
+      <td>
+        &bullet; Sandbox Escape<sup>0</sup>
       </td>
       <td>$20,000</td>
       <td>$18,000</td>
     </tr>
-    <tr>
+    <tr class="bullet">
       <td>
-        <ul class="mzp-u-list-styled multiple-item-list">
-          <li>Sandbox Escape<sup>0</sup></li>
-        </ul>
+        &bullet; Sandbox Escape (Memory Corruption)<sup>0</sup>
       </td>
+      <td>$10,000</td>
+      <td>$8,000</td>
     </tr>
-    <tr>
+    <tr class="bullet">
       <td>
-        <ul class="mzp-u-list-styled">
-          <li>Bypassing WebExtension install prompts<sup>1</sup></li>
-        </ul>
+        &bullet;Bypassing WebExtension install prompts<sup>1</sup>
       </td>
+      <td>$20,000</td>
+      <td>$18,000</td>
     </tr>
     <!-- ========================================================= -->
     <tr>
       <td>Higher Impact</td>
+      <td></td>
+      <td></td>
+    </tr>
+    <tr class="bullet">
+      <td>
+        &bullet; UXSS<sup>2</sup>
+      </td>
       <td>$10,000</td>
       <td>$8,000</td>
     </tr>
+    <!-- ========================================================= -->
     <tr>
+      <td>High Impact
+      </td>
+      <td></td>
+      <td></td>
+    </tr>
+    <tr class="bullet">
       <td>
-        <ul class="mzp-u-list-styled">
-          <li>UXSS<sup>2</sup></li>
-        </ul>
+        &bullet; Vulnerabilities not fitting 'Higher' or 'Highest Impact', but still receiving a <a href="https://wiki.mozilla.org/Security_Severity_Ratings/Client">sec-high rating</a>
       </td>
+      <td>$5000</td>
+      <td>$3000</td>
     </tr>
-    <!-- ========================================================= -->
-    <tr>
-      <td>High Impact - Vulnerabilities not fitting 'Higher' or 'Highest Impact', but still receiving a <a href="https://wiki.mozilla.org/Security_Severity_Ratings/Client">sec-high rating</a>
+    <tr class="bullet">
+      <td>
+        &bullet; Memory Corruption-based sec-high vulnerabilities
       </td>
-      <td>$5,000</td>
-      <td>$3,000</td>
+      <td>$2500</td>
+      <td>$1500</td>
     </tr>
-    <tr>
+    <tr class="bullet">
       <td>
-        <ul class="mzp-u-list-styled">
-          <li>sec-high rated address bar spoofs</li>
-          <li>Memory corruption in the GPU process</li>
-          <li>Information disclosure from the parent to a less privileged process (e.g. out-of-bounds memory reads via IPC)</li>
-        </ul>
+        &bullet; sec-high rated address bar spoofs<br />
+        &bullet; Memory corruption in the GPU process<br />
+        &bullet; Information disclosure from the parent to a less privileged process (e.g. out-of-bounds memory reads via IPC)
       </td>
       <td class="two-col-cell" colspan="2">
         <span>Typically $3000</span>
@@ -148,21 +159,17 @@ <h4 id="security-vulnerability-amounts">Rewards Amount</h4>
         <span>$2,500 - $500</span>
       </td>
     </tr>
-    <tr>
+    <tr class="bullet">
       <td>
-        <ul class="mzp-u-list-styled multiple-item-list">
-          <li>Memory Corruption triggered by an OOM condition<sup>3</sup></li>
-        </ul>
+        &bullet; Memory Corruption triggered by an OOM condition<sup>3</sup>
       </td>
       <td class="two-col-cell" colspan="2">
         <span>Typically $1,500</span>
       </td>
     </tr>
-    <tr>
+    <tr class="bullet">
       <td>
-        <ul class="mzp-u-list-styled">
-          <li>Persistent-DOS of browser across restarts or a DOS requiring reboot of user’s computer<sup>4</sup></li>
-        </ul>
+        &bullet; Persistent-DOS of browser across restarts or a DOS requiring reboot of user’s computer<sup>4</sup>
       </td>
       <td class="two-col-cell" colspan="2">
         <span>Typically $1,000</span>
@@ -171,11 +178,13 @@ <h4 id="security-vulnerability-amounts">Rewards Amount</h4>
   </tbody>
   </table>
 
+  <p>Note that because advances in vulnerabilitiy detection techniques have made these easier to discover, memory corruption based vulnerabilities, as well as those that can be discovered by an ASAN build, will now be paid at half the rate of the category.</p>
+
   <p><sup>0</sup>A sandbox escape is defined as a method to run arbitrary attacker code with full user privileges in the parent process or natively on the user's computer. This can be achieved either through memory corruption or Javascript-based vulnerabilities. Vulnerabilities that assume arbitrary code execution in the content process - such as invoking an IPC method with attacker-controlled parameters - do qualify for Highest Impact.</p>
 
   <p><sup>1</sup> For Highest Impact, bypassing WebExtension Install Prompts excludes local attacks.</p>
 
-  <p><sup>2</sup>UXSS is defined as the ability to execute JavaScript in an arbitrary cross-origin context. As mentioned above, complex user interaction or limited capabilities of the vulnerability (such as only being able to inject into a cross-origin domain, but not an arbitrary cross-origin domain) may decrease the bounty award.</p>
+  <p><sup>2</sup>UXSS is defined as the ability to execute JavaScript in an arbitrary cross-origin context. As mentioned above, complex user interaction or limited capabilities of the vulnerability (such as requiring a compromised content process, or only being able to inject into a cross-origin domain but not an arbitrary cross-origin domain) may decrease the bounty award.</p>
 
   <p><sup>3</sup> If precise control of the OOM condition can be demonstrated, this will be considered High Impact.</p>
 
@@ -223,42 +232,14 @@ <h2 id="exploit-mitigation-bounty">Exploit Mitigation Bug Bounty</h2>
 
   <p><em>Note</em>: If you’re in the Bounty Bonus category, you may think submitting them separately could earn you slightly more money than submitting them together. We’re pretty sure that doing so would make the second report bounty-ineligible, but if you think each issue is fully independent, you’re welcome to submit them separately and we’ll consider it.</p>
 
-<h2 id="static-analysis-bounty">Static Analysis Bounty</h2>
-
-  <p>We also have a program that rewards the submission of static analysis tools that identify present or historical security vulnerabilities in Firefox.  We will accept static analysis queries <a href="https://firefox-source-docs.mozilla.org/code-quality/static-analysis/writing-new/index.html">written as clang-based checkers</a> - we have some documentation that <a href="https://firefox-source-docs.mozilla.org/code-quality/static-analysis/writing-new/index.html">may help you get started or integrate and run over Firefox as a whole</a>. Submissions should be made following <a href="#claiming-a-bounty">our instructions below</a>.</p>
-
-  <p>We will issue a bounty for the query itself, dependent upon the quality of the submission. <u>Updated April 9, 2026</u>: Because the use of AI tooling has made this significantly simpler, we are adjusting the expected range of the bounty to $500 - $5000. Additionally, circumstances regretfully may result in submissions not being evaluated in a timely fashion - but we will always honor the usefulness of a submission <em>at the time it was made</em>, not in light of current-day practices.</p>
-
-  <p>Additionally, if your query matches presently unknown security vulnerabilities, each vulnerability it matches will be considered for a bounty independently. The amount awarded is dependent on the submission quality, as per normal bounty policy. For example purposes, we’ll assume a high or critical vulnerability (which is the most common case for memory corruption.) A report that only shows the output of the tool would be at the minimum end ($3000), and may be less if you submit multiple false positives we need to spend time validating. However a report that includes documentation explaining and validating that the issue is in fact a vulnerability would be eligible for an increased payout. A submission that includes documentation and a test case (which we acknowledge may be difficult for bugs found via this method) would be eligible for the maximum end ($5000).</p>
-
-  <p>The quality of the static analysis submission will be judged on:</p>
-  <ul class="mzp-u-list-styled">
-    <li>Complexity of the query. Is the query identifying a simplistic or syntactical issue with tight locality? Or is it identifying a semantic problem across complicated data flows?</li>
-    <li>Documentation of the query. How does it work, and how did you develop it. What things did you try that didn’t work, and how did you refine it. Crucially: when trying to find the bad pattern, what edge cases does your query miss?</li>
-    <li>Test vectors. Can you supply simple C++ programs that illustrate the vulnerable code patterns that the query matches. Can you supply programs that are edge cases the query misses?
-    <ul class="mzp-u-list-styled">
-      <li>While it may seem unusual to highlight shortcomings of your submission, from our perspective this makes the submission stronger - it gives us confidence you tested it in multiple scenarios, and shows us how we may be able to improve it.</li>
-    </ul></li>
-    <li>What Firefox issues does it identify, either currently unknown, or previously known and fixed? This is your opportunity to argue the usefulness of your query: we’re not going to run your query on historical versions of the codebase, so you should and demonstrate the bugs the query identifies. The more you can identify, the stronger your case is. As a rule of thumb, a query that identifies less than three distinct issues will need an exceptionally strong argument for its future usefulness.</li>
-    <li>The false positive rate of the query. As a rule of thumb, a query should have fewer false positives than true positives. Which means if it matches 1 valid historical issue and 3 current, false positives - you should seek to identify additional historical issues it matches or refine the query.</li>
-    <li>Uniqueness of the query. If we receive multiple query submissions that do the same thing, we will consider the first reported. This is similar to our existing policy that the issue must be previously unreported. However, if your submission improves upon a prior submitted query, we will consider a (smaller) bounty for your improvement upon the prior query.</li>
-  </ul>
-
-  <p><b>More about "Complexity of the query":</b> Consider a function that returns -1 for error, 0 for failure, and 1 for success. Miscasting this return value into a boolean is a common mistake, and we surely have some historical instances of this in our code base. If you identify a function that still has this (bad) API, such a simplistic syntactical query is still valuable to us. If the API is ours, we should fix the API and if the API isn’t ours, we should use static analysis to prevent such a flaw from occurring. But it’s not a very sophisticated query.  On the flip side, a query that does data flow analysis between a user-controlled source and attacker-controlled sink, accounting for complex transitions along the way (like IPC or JS/C++ boundaries) - that is a very sophisticated query.</p>
-
-  <p><b>Examples of Quality of Submission:</b> As mentioned, the bounty amount we grant for the query will be determined based on the quality of the submission, and an estimation of the number of issues we think it may identify in a one to three-year timespan. On the low end, if you submit a query that identifies a single historical issue of a syntactical misuse of an API we are unlikely to use in future code, we may not issue a bounty, and if we did it would be at the very low range. And on the high end, if you submit a query that matches 3 unknown issues today, in code written in the last year - we can expect it will identify a significant number of issues in the future and would be looking above the high range. (Plus you’d be eligible for separate bounties on those 3 issues.)</p>
-
-  <p><em>Note</em>: While we previously accepted submissions of CodeQL queries, we no longer do. You are of course encouraged to develop CodeQL queries if you think they will be valuable, and submit any findings you glean from them.</p>
-
   <h2 id="claiming-a-bounty">Claiming a Bug Bounty</h2>
 
   <p>To claim a bounty:</p>
   <ul class="mzp-u-list-styled">
     <li>Make sure you have a Bugzilla account.</li>
     <li>Use the <a href="https://bugzilla.mozilla.org/form.client.bounty">bugzilla client bug bounty form</a> to file the issue and automatically mark it for bug bounty consideration.</li>
-    <li>In the "Description" field, please clearly describe one security issue or static analysis submission. Please do not include extremely verbose output in the description field, and instead attach it as described below.</li>
+    <li>In the "Description" field, please clearly describe one security issue. Please do not include extremely verbose output in the description field, and instead attach it as described below.</li>
     <li>If you have multiple bugs to file (for example, multiple findings from a single tool), file each one via this form individually, and we will link them as appropriate during review.</li>
-    <li>If submitting a static analysis submission, use the "Attachment" option to attach the source code of the query or plugin.</li>
     <li>Attach any supporting documents, such as "proofs of concept", reproduction cases, debug output or output from a tool. Again, use the "Attachment" option. While not required, such supporting documents will improve the quality of the submission and help us judge it more quickly and accurately. If you have multiple files to attach, it is better to attach one, submit the form, and then attach the remainder to the newly-created bug rather than attaching a zip file. (The exception is for a bundle of related files, like several log files, or test vector programs.)</li>
     <li>If you have filed the bug directly in Bugzilla without using the <a href="https://bugzilla.mozilla.org/form.client.bounty">Bugzilla client bug bounty form</a>, please immediately notify the Mozilla Security Group by email to <a href="mailto:security@mozilla.org">security@mozilla.org</a> and include the number of the bug you filed and a mention that you are submitting it for bounty consideration. <strong>Do not send the actual vulnerability via email.</strong></li>
   </ul>
diff --git a/media/css/security/client-bug-bounty.scss b/media/css/security/client-bug-bounty.scss
index b61eac64f33..8c61d780aee 100644
--- a/media/css/security/client-bug-bounty.scss
+++ b/media/css/security/client-bug-bounty.scss
@@ -5,9 +5,10 @@
 @use '~@mozilla-protocol/core/protocol/css/includes/lib' as *;
 
 .mzp-u-data-table {
-    td:has(> ul) {
+    tr.bullet td, td.bullet, td:has(> ul) {
         border-top: 0;
         margin-top: $spacing-xl;
+        padding-left: 25px;
     }
 
     ul.multiple-item-list {