The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. The reward will be awarded for critical security bugs only that meet the following criteria defined on their site.
Breifly, the bug must be original, previously unreported, be a remote exploit and present in the most recent version of the Mozilla Suite, Firefox, and/or Thunderbird, as released by the Mozilla Foundation.
Reporters of valid critical security bugs will receive a $500 (US) cash reward and a Mozilla T-shirt. If two or more people report the bug together the $500 reward will be divided among them.
Report the bug at Bugzilla – this is the official Mozilla bug-tracking system, for recording bugs in Mozilla and other mozilla.org projects. This is not the place to report bugs about Netscape-branded products. For that, try Netscape’s own bug reporting form instead.
They will invite you to work together with Mozilla engineers in reproducing, diagnosing, and fixing the bug. As part of this process they will provide you full access to participate in our internal discussions about the bug.
More information about this program can be found in the Security Bug Bounty Program FAQ.