Security/Fileabug: Difference between revisions
Ptheriault (talk | contribs) (Created page with "Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit...") |
Ptheriault (talk | contribs) No edit summary |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Filing A Security Bug == | |||
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue. | Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue. | ||
'''Steps to file a bug' | ==== Reporting a security bug ==== | ||
The easiest way to report a security bug (and for it to be automatically considered for a bounty) is to following the process outlined below: | |||
* Website bugs: https://www.mozilla.org/en-US/security/web-bug-bounty/ | |||
* Client (desktop, mobile etc): https://www.mozilla.org/en-US/security/client-bug-bounty/ | |||
NB, even if you don't wan't a bounty it helps us triage so use the forms above, and just indicate in the bug that you don't want it considered for bounty. | |||
=== Steps to file a bug === | |||
If you can't use the process above, or you are simply unsure, you can also follow the manual process below: | |||
1. Make sure you have a Bugzilla account. You can create a new account [https://bugzilla.mozilla.org/createaccount.cgi here].<br /> | |||
2. Create a [https://bugzilla.mozilla.org/enter_bug.cgi new bug] on bugzilla.mozilla.org <br /> | |||
3. Select the affected product: <br /> | |||
[[File:Productchoice.png|400px|frameless|none]]<br /> | |||
4. Select the affected component (best guess is OK - we will re-assign as need be):<br /> | |||
[[File:Componentchoice.png|400px|frameless|none]]<br /> | |||
5. Add a bug summary <br /> | |||
6. Add a bug description<br /> | |||
7. Add as much information as possible: <br /> | |||
* a "proof of concept" testcase | |||
* point out vulnerable code (use [https://dxr.mozilla.org/mozilla-central/source/ DXR] or [http://searchfox.org/ searchfox] to link to code directly) | |||
* attach debug output or output from a tool demonstrating the issue. <br /> | |||
8. '''IMPORTANT: mark the bug as a "security" bug to keep it confidential''':<br /> | |||
[[File:Securitybug.png|800px|frameless|none]]<br /> | |||
9. Double check your entry then Submit the bug. <br /> | |||
Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write! | |||
Tips: | |||
* |
Latest revision as of 09:37, 21 October 2019
Filing A Security Bug
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.
Reporting a security bug
The easiest way to report a security bug (and for it to be automatically considered for a bounty) is to following the process outlined below:
- Website bugs: https://www.mozilla.org/en-US/security/web-bug-bounty/
- Client (desktop, mobile etc): https://www.mozilla.org/en-US/security/client-bug-bounty/
NB, even if you don't wan't a bounty it helps us triage so use the forms above, and just indicate in the bug that you don't want it considered for bounty.
Steps to file a bug
If you can't use the process above, or you are simply unsure, you can also follow the manual process below:
1. Make sure you have a Bugzilla account. You can create a new account here.
2. Create a new bug on bugzilla.mozilla.org
3. Select the affected product:
4. Select the affected component (best guess is OK - we will re-assign as need be):
5. Add a bug summary
6. Add a bug description
7. Add as much information as possible:
- a "proof of concept" testcase
- point out vulnerable code (use DXR or searchfox to link to code directly)
- attach debug output or output from a tool demonstrating the issue.
8. IMPORTANT: mark the bug as a "security" bug to keep it confidential:
9. Double check your entry then Submit the bug.
Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write!
Tips: