Introduction
Mozilla's 0Day Investigative Network (0Din) is a GenAI bug bounty program that incentivizes the discovery and reporting of security vulnerabilities in large language models, attention-based systems and other generative models to enhance Internet and personal safety.
Vulnerability Processing and Disclosure Policy
Abstract Sign-off and Bounty Range
This is a novel space, to ensure we're on the same page we recommend researchers include a concise and descriptive title and summary of the issue, the affected model(s), and any relevant context including prompts and model responses. Our team will confirm whether the submission is within scope and provide an estimated bounty range.
Confirm Receipt of Submissions
We will confirm receipt of all vulnerability submissions within 1 business day. This ensures that researchers know their submissions have been formally received and are under review.
Validate Submitted Information
We will validate the information submitted by researchers within 2 weeks. During this period, our team will thoroughly assess the vulnerability to confirm its validity and impact. If the complexity of the submission requires further time for validation, we’ll let the researcher know early in this process.
In the event that our team is experiencing a heavy load, we will inform the researcher in our initial submission receipt. This transparency helps set expectations regarding the timeline for validation and further communication.
Duplicate Discoveries
The security bug must be original and previously unreported. Duplicate submissions within 72 hours will split the bounty between reporters. If duplicate submissions are of unequal quality, the split will be at the level of the lesser report, and the greater report will receive a prorated additional bounty on top of the split.
Researcher Payment
We commit to submitting payment to researchers within 2 weeks of reaching a contractual agreement. This ensures that researchers are compensated promptly for their contributions. Bounties can be donated to certain charities (see above), and should be indicated by the researcher during the submission process.
As a matter of both policy and law, we must know who we are paying. Researchers must submit a valid government issued photo identification (ex: passport, drivers license) to be eligible for payment. Researchers are responsible for their own tax obligations in light of the reward. US based researchers must provide a completed IRS W-9 form. Non-US based researchers must provide a completed IRS W-8 form.
Vendor Notification
We will contact the affected vendor within 72 hours of reaching a contractual agreement with the researcher. Our preference is to contact a CVE Numbering Authority (CNA) or a formal security contact designated by the vendor.
If a formal security contact is unavailable, we will attempt to reach the vendor using the following email addresses: psirt@, security@, secure@, support@, and info@. These are common addresses used for reporting security issues.
Public Disclosure Timeline
If we are unable to connect with the vendor after three attempts over a two-week period, we will proceed with public disclosure of the vulnerability within 30 days. This ensures that the information is made available to the public in a timely manner to mitigate potential risks.
If we successfully connect with the vendor, we will provide them with up to one quarter (4 months, 120 days) to address the issue before public disclosure. This time frame allows the vendor sufficient time to develop and deploy a fix while ensuring that the vulnerability is eventually disclosed.
Public Disclosure
Once the public disclosure horizon has been met, we will post and advertise the vulnerability publicly. The 0din team will handle this process, and we will provide (optional) credit to the discovering researcher, acknowledging their contribution to improving security.
By adhering to this policy, we aim to balance the need for public awareness of vulnerabilities with the necessity of giving vendors adequate time to address security issues. Our goal is to foster a collaborative environment that enhances overall cybersecurity.