Security/Fileabug: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 3: Line 3:
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.  
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.  


'''Steps to file a bug'''
==== A note on bug bounties ====
# Make sure you have a Bugzilla account. You can create a new account [https://bugzilla.mozilla.org/createaccount.cgi here].
If you want to report a website bug to be considered for the [https://www.mozilla.org/en-US/security/web-bug-bounty/ Web Bounty Program], please use [https://bugzilla.mozilla.org/form.web.bounty this form] instead of the instructions below.<br/> For all other bugs, including bounty submissions for the [https://www.mozilla.org/en-US/security/client-bug-bounty/ Client Bounty Program] should use the steps below.
# Create a new bug on bugzilla.mozilla.org  
 
# Select the affected product
=== Steps to file a bug ===
# Select the affected component (best guess is OK - we will re-assign as need be)
1. Make sure you have a Bugzilla account. You can create a new account [https://bugzilla.mozilla.org/createaccount.cgi here].<br />
# Add a bug summary  
2. Create a new bug on bugzilla.mozilla.org <br />
# Add a bug description
3. Select the affected product <br />
# Add as much information as possible: a "proof of concept" testcase, point out vulnerable code, attach debug output or output from a tool demonstrating the issue.  
[[File:Productchoice.png|400px|frameless|none]]<br />
# '''IMPORTANT: mark the bug as a "security" bug to keep it confidential'''
4. Select the affected component (best guess is OK - we will re-assign as need be)<br />
[[File:Componentchoice.png|400px|frameless|none]]<br />
5. Add a bug summary <br />
6. Add a bug description<br />
7. Add as much information as possible: <br />
* a "proof of concept" testcase  
* point out vulnerable code (use [https://dxr.mozilla.org/mozilla-central/source/ DXR] or [http://searchfox.org/ searchfox] to link to code directly)
* attach debug output or output from a tool demonstrating the issue. <br />
8. '''IMPORTANT: mark the bug as a "security" bug to keep it confidential'''<br />
9. Double check your entry then Submit the bug. <br />
 
Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write!
 
Tips:
* Provide steps to

Revision as of 08:39, 25 July 2016

Filing A Security Bug

Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.

A note on bug bounties

If you want to report a website bug to be considered for the Web Bounty Program, please use this form instead of the instructions below.
For all other bugs, including bounty submissions for the Client Bounty Program should use the steps below.

Steps to file a bug

1. Make sure you have a Bugzilla account. You can create a new account here.
2. Create a new bug on bugzilla.mozilla.org
3. Select the affected product

Productchoice.png


4. Select the affected component (best guess is OK - we will re-assign as need be)

Componentchoice.png


5. Add a bug summary
6. Add a bug description
7. Add as much information as possible:

  • a "proof of concept" testcase
  • point out vulnerable code (use DXR or searchfox to link to code directly)
  • attach debug output or output from a tool demonstrating the issue.

8. IMPORTANT: mark the bug as a "security" bug to keep it confidential
9. Double check your entry then Submit the bug.

Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write!

Tips:

  • Provide steps to