Security/Web Bug Rotation: Difference between revisions

Jump to navigation Jump to search

Security/Web Bug Rotation (view source)

Revision as of 17:56, 28 April 2016

171 bytes added ,  28 April 2016
update bounty handling text
(→‎NEW: update instructions)
(update bounty handling text)
Line 39: Line 39:
### sec-{critical,high,moderate,low,other}, see [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#Severity_Ratings severity ratings]
### sec-{critical,high,moderate,low,other}, see [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#Severity_Ratings severity ratings]
### wsec-{authentication,cookie,xss,sqli,...}, see [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#Group_Keywords vulnerability types]
### wsec-{authentication,cookie,xss,sqli,...}, see [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#Group_Keywords vulnerability types]
## If the reporter is eligible for bounties (non-staff, non-sg), Set "sec-bounty" flag to "?"
## Block the appropriate meta-bug
## Edit "Assigned To" and check the box for "Reset Assignee to default"
## Edit "Assigned To" and check the box for "Reset Assignee to default"
# If the verification shows that the issue is invalid, close the bug as '''INVALID'''
# If the verification shows that the issue is invalid, close the bug as '''INVALID'''
Line 48: Line 46:


=Bounty=
=Bounty=
 
# Bounty flags are set automatically through the [https://bugzilla.mozilla.org/form.web.bounty Web Bounty Form].
Under {{bug|835475}} (web-bounty), you will find a list metabugs for different Mozilla web properties. The list is ad-hoc and likely needs to be expanded. There is currently a catch all {{bug|836522}} (other-bounty) to cover bugs that do not fit into any of the other trackers.
# Check the Web Bounty FAQ for whether the site and service are in scope for the bounty program.  
## If the site is not on the [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs eligible list] and the bug is not "extraordinary" please set the bug-bounty flag to "-" and needinfo flag :adamm.
# If a submitter requests that a bug submitted outside the automated form have a bounty flag added, set the bounty flag to "?" and needinfo :adamm.


For '''NEW''' bugs
For '''NEW''' bugs
Line 63: Line 63:
## If the old bug has the attachment 'bounty non-qual' or similar then set sec-bounty- on the old bug
## If the old bug has the attachment 'bounty non-qual' or similar then set sec-bounty- on the old bug
## If the old bug has the attachment 'bounty awarded X' or 'bounty paid X', then set sec-bounty+ on the old bug
## If the old bug has the attachment 'bounty awarded X' or 'bounty paid X', then set sec-bounty+ on the old bug
## If no duplicate is found and the issue is not verified the bug shall be RESOLVED - INVALID and the whiteboard tag removed.
## If no duplicate is found and the issue is not verified the bug shall be RESOLVED - INVALID and the whiteboard tag removed.
Amuntner
297

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1130202"

Navigation menu