Post-Heartbleed, Mozilla Launches Bug Bounty for Certificate Library
To qualify for the special bounty the bug and reporter must first meet the guidelines of the company’s normal security bug bounty program. And, the vulnerability must: be in, or caused by, code in security/pkix or security/certverifier as used in Firefox; be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”); and be reported in enough detail, including test cases, certificates, or even a running proof-of-concept server, so that Mozilla can reproduce the problem