For quite some time now the folks over at Mozilla have the Mozilla Security Bug Bounty Program in place, a program that rewards those who report valid critical security bugs with cash money and a Mozilla T-shirt. Come to think of it, the program has been around for 6 years now – it launched back in 2004. During all this long time the amount of money Mozilla paid out was of $500 (US). The problem with that $500 cash reward was that it was not that enticing.

It’s the same discussion as when Google announced that in an effort to deter irresponsible vulnerability disclosure, it is willing to pay between $500 and $1337 for “interesting and original vulnerabilities” reported by the security research community. The topic back then was that $500 is not enough to entice some security experts – and definitely not enough to entice blackhat hackers who could get much more than $500 for a 0-day exploit on the black market.

So the point is that $500 for a vulnerability, especially a serious one, is not exactly a big amount. The Mozilla Foundation realized this and upped the amount it pays out – Mozilla upped the amount from $500 to $3,000 (that’s a 600% increase).

“For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,” announced Director of Security Engineering, Lucas Adamski. “We hope other organizations will match our program and actively support constructive security research.”

Details on the Mozilla Security Bug Bounty Program are available here.