Attack and Defense

Please report bugs. If you - or someone else - improves exploitability after initial report, the bounty will be increased. If you're second reporter, you will be pro-rated. I guess I can only speak for our bounty program but come on industry, you can do better. #bugbountytips

@LiveOverflow The bug info is public, including test case and patches. If you want to follow along, look at bug bugzilla.mozilla.org/show_bug.cgi?i… (Day 1 exploit) and bugzilla.mozilla.org/show_bug.cgi?i… (Day 2)

See @LiveOverflow's documentary on Firefox and pwn2own and learn what it was like to fix not just one but TWO Firefox security bugs at rapid time. youtube.com/watch?v=YQEq5s…

After a long pause, a new video coming today! Part 1 of small documentary about Pwn2Own…

Good news. We just published the Firefox Security Newsletter for 2025 Q4. attackanddefense.dev/2026/01/30/fir…

(This is not the Firefox Security team, so we won't be able to answer a lot of the typical questions here)

Mozilla is looking for a Staff Security Engineer, Product Security in Remote Canada/US/UK/Germany - mozilla.org/en-US/careers/…

@MonierFr @garethheyes Doesn't DOMPurify also support <svg>? We intentionally disallow the more dangerous stuff (like <filter>, <view>, <switch>, etc.). But let us know if you find breakage. Attacks on web security APIs are generally in scope for the bug bounty program (terms and conditions apply :))

@garethheyes developer.mozilla.org/en-US/docs/Web… It would not strip <svg> elements?! Seems doomed 🖼️

Firefox nightly introduces the setHTML() method. Which is like a native DOMPurify. You can easily test it here: portswigger-labs.net/mxss/ Set HTMLSanitizer ✅ Auto update ✅ I'm trying to break it, I encourage you to break it too

@garethheyes @KwanAleister While `data` URLs are not what I would consider an XSS in the page, I still see it as a confusion that we should address more clearly in the spec. If you have opinions, pls share in github.com/WICG/sanitizer….

@KwanAleister Try alert(document.domain)

We just published the Q2 2025 edition of the Firefox Security and Privacy newsletter. Highlights: * CHIPS * Webcompat improvements * Better HTTPS error pages * Firefox Relay integration ...and much more. attackanddefense.dev/2025/07/17/fir…

Did you know that all of our good stuff is also available elsewhere? Follow us on Mastodon at @attackanddefense" target="_blank" rel="nofollow noopener">infosec.exchange/@attackanddefe… or keep refreshing our site at attackanddefense.dev

We just updated our bug bounty hall of fame to include the great security researchers from the last two quarters. Thank you for securing the best #Firefox yet :) mozilla.org/en-US/security…

bugzilla.mozilla.org/show_bug.cgi?i… This is a big change for DOM Clobberers. Firefox Nightly no longer allows native document properties to be overwritten by elements with a name attr, e.g.: <img src=a name=currentScript> <script> alert(document.currentScript)// HTMLScriptElement </script>

@garethheyes @kinugawamasato Good find. This is now fixed @FirefoxNightly. Sorry, no fun allowed.

We updated our Firefox Bug Bounty Hall of Fame for Q4 of 2024. 🏆👏 Thank you to the many folks who helped keep Firefox secure! mozilla.org/en-US/security…

What it takes to fix an 0day in 25 hours. (Spoiler: It's team work!). Read the blog post at blog.mozilla.org/security/2024/… by our very own @TomRittervg

We're turning the big 2-0 this year! Help us celebrate by sharing your best Firefox fan art 🔥 tag us or use #FirefoxArt by 11/01 so we don't miss it. (you just might score some fun surprises too...)

If you haven't updated Firefox in a while, do it now. We have fixed a high-severity security vulnerability that is apparently exploited in the wild. We shipped this within 25 hours after being reported to us. mozilla.org/en-US/security…

@FrancescoCiull4 @firefox @FirefoxSupport Twitter is not a great channel for urgent requests. Especially given the recent developments. Please try support.mozilla.org (If this is security related, send email to security@mozilla.org.)

🚨 Urgent🚨 I need to reach out @firefox @FirefoxSupport as soon as possible!!! Can you help me, please?

You can avoid your bugs to be of decreased value by: 1. Demonstrate code execution with an exploit 2. Find a spoof in the existing address bar. Learn more at wiki.mozilla.org/Security_Sever… & mozilla.org/en-US/security…

Minor update to our our linked Security Severity Ratings and therefore the bug bounty program. We are decreasing the severity of 1. Memory safety issues that require just one _specific_ allocation to fail. 2. Full screen prompt spoofs.