Firefox uses SSL/TLS to protect communications with web servers using strong cryptography when using the HTTPS protocol. It uses a sandbox security model and the developers use a "bug bounty" scheme, for finding fixes for some security and feature additions. Official guidelines for handling security vulnerabilities discourage early disclosure of vulnerabilities so as not to give potential attackers an advantage in creating exploits.
Because Firefox has fewer and less severe publicly known unpatched security vulnerabilities than Internet Explorer (see Comparison of web browsers), it is often cited as a reason to switch from Internet Explorer to Firefox for improved security. The Washington Post reports that exploit code for critical unpatched security vulnerabilities in Internet Explorer was available for 284 days in 2006. In comparison, exploit code for critical security vulnerabilities in Firefox was available for 9 days before Mozilla shipped a patch to remedy the problem.
A 2006 Symantec study showed that Firefox had surpassed other browsers, including Internet Explorer, in the number of vendor-confirmed vulnerabilities that year through September; these vulnerabilities were patched far more quickly than those found in IE and other browsers. Symantec later clarified their statement, saying that Firefox still had fewer security vulnerabilities, as counted by security researchers. As of February 25, 2007, Firefox 2 has two of six security vulnerabilities unpatched, marked "not critical" and "less critical" by Secunia. Internet Explorer has five of seven security vulnerabilities unpatched, the most severe of which was rated "moderately critical" by Secunia. (Note that the number of "Secunia Advisories" listed for each doesn't reflect on the actual number of vulnerabilities reported for each. Advisory SA23282 for Mozilla Firefox 2.0.x contains multiple vulnerabilities.)