@attackanddefense@infosec.exchange - Mozilla's Security Internals for Security Engineers, Security Researchers, and Bug Bounty Hunters.
Joined February 2020
- Tweets 157
- Following 8
- Followers 1,486
- Likes 25
6 Photos and videos
Pinned Tweet
24 Apr 2021
Please report bugs. If you - or someone else - improves exploitability after initial report, the bounty will be increased. If you're second reporter, you will be pro-rated.
I guess I can only speak for our bounty program but come on industry, you can do better.
#bugbountytips
23 Apr 2021
Do not report open redirects without fully analyzing and seeing potentials of it. Thanks to random guy who reported open redirect, our report for full SSRF leaking client secret of integration claimed dupe.
Again: do not report open redirects #bugbountytips
3
10
6 Firefox entries at pwn2own.
5 withdrawals due to our 150.0.3 security release.
1 failed attempt.
0 Exploits.
No incidents.
Time to party :)
4
21
283
167,200
Reminder that our bug bounty program accepts PoCs (e.g. , verifiable in an address sanitizer builds that you can find here firefox-source-docs.mozilla.…).
No need to write a full exploit.
More here mozilla.org/en-US/security/c… :)
1
5
29
2,873
Great bug, thank you for the detailed report.
We just released 150.0.3 to fix this.
mozilla.org/en-US/security/a…
I was hoping to compete in Pwn2Own with a Firefox full-chain entry, but unfortunately it was rejected. I’ve reported the vulnerability to the Mozilla team.
6
18
141
22,410
Sorry this broke your chain @qriousec, @trichimtrich, @lanleft_, and @wiz1340. Would love to compare notes if you still make it to Berlin.
10
1,173
When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs?
Well, here they are. We are unhiding 12 security bugs that are representative of the issues we have found.
hacks.mozilla.org/2026/05/be…
1
11
799
1
442
We just published our recent Firefox Security and Privacy highlights in the Q1 newsletter. Take a look —> attackanddefense.dev/2026/04…
1
4
413
See @LiveOverflow's documentary on Firefox and pwn2own and learn what it was like to fix not just one but TWO Firefox security bugs at rapid time. youtube.com/watch?v=YQEq5s4S…
1
2
15
1,746
The bug info is public, including test case and patches. If you want to follow along, look at bug bugzilla.mozilla.org/show_bu… (Day 1 exploit) and bugzilla.mozilla.org/show_bu… (Day 2)
1
2
292
Attack and Defense retweeted
Feb 22
After a long pause, a new video coming today!
Part 1 of small documentary about Pwn2Own…
12
41
508
24,633
Good news. We just published the Firefox Security Newsletter for 2025 Q4.
attackanddefense.dev/2026/01…
235
Mozilla is looking for a Staff Security Engineer, Product Security in Remote Canada/US/UK/Germany - mozilla.org/en-US/careers/po…
1
1
1
469
(This is not the Firefox Security team, so we won't be able to answer a lot of the typical questions here)
245
17 Jul 2025
We just published the Q2 2025 edition of the Firefox Security and Privacy newsletter.
Highlights:
* CHIPS
* Webcompat improvements
* Better HTTPS error pages
* Firefox Relay integration
...and much more.
attackanddefense.dev/2025/07…
1
1
239
17 Jul 2025
Did you know that all of our good stuff is also available elsewhere?
Follow us on Mastodon at infosec.exchange/@attackandd… or keep refreshing our site at attackanddefense.dev/
175
15 Jul 2025
We just updated our bug bounty hall of fame to include the great security researchers from the last two quarters. Thank you for securing the best #Firefox yet :)
mozilla.org/en-US/security/b…
1
5
469
Attack and Defense retweeted
10 Jul 2025
bugzilla.mozilla.org/show_bu…
This is a big change for DOM Clobberers. Firefox Nightly no longer allows native document properties to be overwritten by elements with a name attr, e.g.:
<img src=a name=currentScript>
<script>
alert(document.currentScript)// HTMLScriptElement
</script>
3
21
157
14,384
Attack and Defense retweeted
17 Jun 2025
Good find. This is now fixed @FirefoxNightly. Sorry, no fun allowed.
1
1
3
450
31 Jan 2025
We updated our Firefox Bug Bounty Hall of Fame for Q4 of 2024. 🏆👏
Thank you to the many folks who helped keep Firefox secure! mozilla.org/en-US/security/b…
1
2
216
11 Oct 2024
What it takes to fix an 0day in 25 hours. (Spoiler: It's team work!).
Read the blog post at blog.mozilla.org/security/20… by our very own @TomRittervg
5
12
1,148