Please report bugs. If you - or someone else - improves exploitability after initial report, the bounty will be increased. If you're second reporter, you will be pro-rated. I guess I can only speak for our bounty program but come on industry, you can do better. #bugbountytips

(This is not the Firefox Security team, so we won't be able to answer a lot of the typical questions here)

Mozilla is looking for a Staff Security Engineer, Product Security in Remote Canada/US/UK/Germany -

We just published the Q2 2025 edition of the Firefox Security and Privacy newsletter. Highlights: * CHIPS * Webcompat improvements * Better HTTPS error pages * Firefox Relay integration ...and much more. https://t.co/uxxMw5gRuU

Did you know that all of our good stuff is also available elsewhere? Follow us on Mastodon at https://t.co/yJ7EtZOQJd or keep refreshing our site at

We just updated our bug bounty hall of fame to include the great security researchers from the last two quarters. Thank you for securing the best #Firefox yet :) https://t.co/zRlAT45pKa

https://t.co/fIkkSptNXY This is a big change for DOM Clobberers. Firefox Nightly no longer allows native document properties to be overwritten by elements with a name attr, e.g.: <img src=a name=currentScript> <script> alert(document.currentScript)// HTMLScriptElement </script>

@garethheyes @kinugawamasato Good find. This is now fixed @FirefoxNightly. Sorry, no fun allowed.

We updated our Firefox Bug Bounty Hall of Fame for Q4 of 2024. 🏆👏 Thank you to the many folks who helped keep Firefox secure!

What it takes to fix an 0day in 25 hours. (Spoiler: It's team work!). Read the blog post at https://t.co/UAqrGtP4af by our very own @TomRittervg

We're turning the big 2-0 this year! Help us celebrate by sharing your best Firefox fan art 🔥 tag us or use #FirefoxArt by 11/01 so we don't miss it. (you just might score some fun surprises too...)

If you haven't updated Firefox in a while, do it now. We have fixed a high-severity security vulnerability that is apparently exploited in the wild. We shipped this within 25 hours after being reported to us. https://t.co/zx6sebvXK9

You can avoid your bugs to be of decreased value by: 1. Demonstrate code execution with an exploit 2. Find a spoof in the existing address bar. Learn more at https://t.co/6ivGnK9vt1 &

Minor update to our our linked Security Severity Ratings and therefore the bug bounty program. We are decreasing the severity of 1. Memory safety issues that require just one _specific_ allocation to fail. 2. Full screen prompt spoofs.

.@freddyb will be at #Offensivecon24 in Berlin. Let us know if you want to meet up to talk about browser/ web security.

https://t.co/6YI77kv4rO

P.S: We pay up to $20k for a good sandbox escape. Take a look at https://t.co/lTEoqzuQ4U for our bounty program. If you want to learn how to find these kinds of bugs, @LiveOverflow made a great video at

Kudos to all the countless people postponing their sleep and working towards resolving this so quickly! Really impressive teamwork again. Also, kudos to Manfred for pwning Firefox again :)

Last Thursday, @_manfp demonstrated a security exploit targeting Firefox 124 at pwn2own. Within 21 hours, we published Firefox 124.0.1 (and Firefox ESR 115.9.1) containing the security fix. Please update your foxes! 🦊

For context, last Christmas, @joernchen reported an RCE bug in our version control system.

Just report it in January, joernchen… 😉