Security/Fileabug: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit...")
 
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Filing A Security Bug ==
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.  
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.  


'''Steps to file a bug'''
==== Reporting a security bug ====
# Make sure you have a Bugzilla account. You can create a new account [https://bugzilla.mozilla.org/createaccount.cgi here].
The easiest way to report a security bug (and for it to be automatically considered for a bounty) is to following the process outlined below:
# Create a new bug on bugzilla.mozilla.org  
* Website bugs: https://www.mozilla.org/en-US/security/web-bug-bounty/
# Select the affected product
* Client (desktop, mobile etc): https://www.mozilla.org/en-US/security/client-bug-bounty/
# Select the affected component (best guess is OK - we will re-assign as need be)
 
# Add a bug summary  
NB, even if you don't wan't a bounty it helps us triage so use the forms above, and just indicate in the bug that you don't want it considered for bounty.
# Add a bug description
 
# Add as much information as possible: a "proof of concept" testcase, point out vulnerable code, attach debug output or output from a tool demonstrating the issue.  
=== Steps to file a bug ===
# '''IMPORTANT: mark the bug as a "security" bug to keep it confidential'''
If you can't use the process above, or you are simply unsure, you can also follow the manual process below:
 
1. Make sure you have a Bugzilla account. You can create a new account [https://bugzilla.mozilla.org/createaccount.cgi here].<br />
2. Create a [https://bugzilla.mozilla.org/enter_bug.cgi new bug] on bugzilla.mozilla.org <br />
3. Select the affected product: <br />
[[File:Productchoice.png|400px|frameless|none]]<br />
4. Select the affected component (best guess is OK - we will re-assign as need be):<br />
[[File:Componentchoice.png|400px|frameless|none]]<br />
5. Add a bug summary <br />
6. Add a bug description<br />
7. Add as much information as possible: <br />
* a "proof of concept" testcase  
* point out vulnerable code (use [https://dxr.mozilla.org/mozilla-central/source/ DXR] or [http://searchfox.org/ searchfox] to link to code directly)
* attach debug output or output from a tool demonstrating the issue. <br />
8. '''IMPORTANT: mark the bug as a "security" bug to keep it confidential''':<br />
[[File:Securitybug.png|800px|frameless|none]]<br />
9. Double check your entry then Submit the bug. <br />
 
Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write!
 
Tips:
*

Latest revision as of 09:37, 21 October 2019

Filing A Security Bug

Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.

Reporting a security bug

The easiest way to report a security bug (and for it to be automatically considered for a bounty) is to following the process outlined below:

NB, even if you don't wan't a bounty it helps us triage so use the forms above, and just indicate in the bug that you don't want it considered for bounty.

Steps to file a bug

If you can't use the process above, or you are simply unsure, you can also follow the manual process below:

1. Make sure you have a Bugzilla account. You can create a new account here.
2. Create a new bug on bugzilla.mozilla.org
3. Select the affected product:

Productchoice.png


4. Select the affected component (best guess is OK - we will re-assign as need be):

Componentchoice.png


5. Add a bug summary
6. Add a bug description
7. Add as much information as possible:

  • a "proof of concept" testcase
  • point out vulnerable code (use DXR or searchfox to link to code directly)
  • attach debug output or output from a tool demonstrating the issue.

8. IMPORTANT: mark the bug as a "security" bug to keep it confidential:

Securitybug.png


9. Double check your entry then Submit the bug.

Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write!

Tips: