Re:We will probably never get to see them (Score 2, Informative)

So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?

Quoting from the Mozilla Security Bug Bounty FAQ,

If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).

So, yes, the Mozilla Organization would prefer that the developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time. If you read handling Mozilla security bugs it is clear that they grok.