Mozilla

www.mozilla.org → Homepage Contact

Program Details

Handle: mozilla
Managed: Yes

Response Metrics

Response Time: 7 days
Bounty Time: 162 days
Resolution Time: 625 days
Response Efficiency: 92%

Scope (29 targets)

web: 26 other: 3

Bounty splitting: Yes

In Scope

Mozilla Ad Routing Service other bounty-eligible
Mozilla VPN Clients other bounty-eligible
Product Delivery other bounty-eligible
accounts.firefox.com web bounty-eligible
addons.allizom.org web bounty-eligible
api.profiler.firefox.com web bounty-eligible
aus5.mozilla.org web bounty-eligible
bugzilla.mozilla.org web bounty-eligible
community-tc.services.mozilla.com web bounty-eligible
crash-reports.allizom.org web bounty-eligible
crash-stats.allizom.org web bounty-eligible
developer.mozilla.org web bounty-eligible
firefox-ci-tc.services.mozilla.com web bounty-eligible
firefox.settings.services.mozilla.com web bounty-eligible
hg.mozilla.org web bounty-eligible
lando.services.mozilla.com web bounty-eligible
merino.services.mozilla.com web bounty-eligible
monitor.mozilla.org web bounty-eligible
phabricator.allizom.org web bounty-eligible
pontoon.allizom.org web bounty-eligible
and 9 more targets

Known Exploited Vulnerabilities 13 CVEs

1 linked to ransomware campaigns

CVE-2010-3765 Multiple Products 2025-10-06 86.6% EPSS

Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.
CVE-2024-9680 Firefox 2024-10-15 30.8% EPSS

Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process.
CVE-2016-9079 Firefox, Firefox ESR, and Thunderbird 2023-06-22 84.8% EPSS

Mozilla Firefox, Firefox ESR, and Thunderbird contain a use-after-free vulnerability in SVG Animation, targeting Firefox and Tor browser users on Windows.
CVE-2015-4495 Firefox 2022-05-25 71.6% EPSS

Moxilla Firefox allows remote attackers to bypass the Same Origin Policy to read arbitrary files or gain privileges.
CVE-2019-11707 Firefox and Thunderbird 2022-05-23 84.4% EPSS

Mozilla Firefox and Thunderbird contain a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, allowing for an exploitable crash.
CVE-2019-11708 Firefox and Thunderbird 2022-05-23 68.4% EPSS

Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.
CVE-2013-1690 Firefox and Thunderbird 2022-03-28 47.1% EPSS

Mozilla Firefox and Thunderbird do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial-of-service (DoS) or possibly execute malicious code via a crafted web site.
CVE-2022-26486 Firefox 2022-03-07 5.5% EPSS

Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution.
CVE-2022-26485 Firefox 2022-03-07 7.2% EPSS

Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution.
CVE-2013-1675 Firefox 2022-03-03 7.9% EPSS

Mozilla Firefox does not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site.

and 3 more - view full CISA catalog →