meacer -- Do you know how XPI files are handled by Firefox?  Are they auto-loaded and auto-executed if you open them from the file system?

If firefox prompts, then there is enough friction that this wouldn't qualify for VRP.

Here's the process: https://accessfirefox.org/Install_Addon_Manually.php
Here's a video demo: https://youtu.be/u36KaXCI5T4?t=32
Firefox does show a confirmation prompt and asks the user to only install extensions from trusted authors.

Most importantly, Windows doesn't recognize the XPI filetype and doesn't associate it with Firefox so the user needs to know how to make Firefox consume it.
https://support.mozilla.org/en-US/questions/1009049

In my opinion, that raises the friction high enough.

I agree, I'm pretty sure Firefox will almost always ask if the user wants to install the extension, making this file type not that dangerous.

research@nightwatchcybersecurity.com: Thanks a lot for filing this bug under the SafeBrowsing VRP.

Merely downloading an XPI file is not dangerous in itself and requires a non-trivial amount of work by the user afterwards.

Therefore, based on the rules of the program, this bug is ineligible for a reward because it doesn't meet the condition: "minimal user interaction with the file".

For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot