Firefox uses a sandbox security model. and limits scripts from accessing data from other web sites based on the same origin policy. It uses SSL/TLS to protect communications with web servers using strong cryptography when using the HTTPS protocol. It also provides support for web applications to use smartcards for authentication purposes.
The Mozilla Foundation offers a "bug bounty" to researchers who discover severe security holes in Firefox. Official guidelines for handling security vulnerabilities discourage early disclosure of vulnerabilities so as not to give potential attackers an advantage in creating exploits.
Because Firefox has fewer and less severe publicly known unpatched security vulnerabilities than Internet Explorer (see Comparison of web browsers), improved security is often cited as a reason to switch from Internet Explorer to Firefox.The Washington Post reports that exploit code for critical unpatched security vulnerabilities in Internet Explorer was available for 284 days in 2006. In comparison, exploit code for critical security vulnerabilities in Firefox was available for 9 days before Mozilla shipped a patch to remedy the problem.
A 2006 Symantec study showed that although Firefox had surpassed other browsers in the number of vendor-confirmed vulnerabilities that year through September, these vulnerabilities were patched far more quickly than those found in other browsers. Symantec later clarified their statement, saying that Firefox still had fewer security vulnerabilities than Internet Explorer, as counted by security researchers. As of July 9, 2009, Firefox 3.5 has no unpatched security vulnerabilities according to Secunia.Internet Explorer 8 has one unpatched security vulnerability, which is rated "Less critical" by Secunia.