Security/Fileabug: Difference between revisions
Ptheriault (talk | contribs) |
Ptheriault (talk | contribs) No edit summary |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue. | Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue. | ||
==== | ==== Reporting a security bug ==== | ||
The easiest way to report a security bug (and for it to be automatically considered for a bounty) is to following the process outlined below: | |||
* Website bugs: https://www.mozilla.org/en-US/security/web-bug-bounty/ | |||
* Client (desktop, mobile etc): https://www.mozilla.org/en-US/security/client-bug-bounty/ | |||
NB, even if you don't wan't a bounty it helps us triage so use the forms above, and just indicate in the bug that you don't want it considered for bounty. | |||
=== Steps to file a bug === | === Steps to file a bug === | ||
If you can't use the process above, or you are simply unsure, you can also follow the manual process below: | |||
1. Make sure you have a Bugzilla account. You can create a new account [https://bugzilla.mozilla.org/createaccount.cgi here].<br /> | 1. Make sure you have a Bugzilla account. You can create a new account [https://bugzilla.mozilla.org/createaccount.cgi here].<br /> | ||
2. Create a new bug on bugzilla.mozilla.org <br /> | 2. Create a [https://bugzilla.mozilla.org/enter_bug.cgi new bug] on bugzilla.mozilla.org <br /> | ||
3. Select the affected product <br /> | 3. Select the affected product: <br /> | ||
[[File:Productchoice.png|400px|frameless|none]]<br /> | [[File:Productchoice.png|400px|frameless|none]]<br /> | ||
4. Select the affected component (best guess is OK - we will re-assign as need be)<br /> | 4. Select the affected component (best guess is OK - we will re-assign as need be):<br /> | ||
[[File:Componentchoice.png|400px|frameless|none]]<br /> | [[File:Componentchoice.png|400px|frameless|none]]<br /> | ||
5. Add a bug summary <br /> | 5. Add a bug summary <br /> | ||
| Line 19: | Line 25: | ||
* point out vulnerable code (use [https://dxr.mozilla.org/mozilla-central/source/ DXR] or [http://searchfox.org/ searchfox] to link to code directly) | * point out vulnerable code (use [https://dxr.mozilla.org/mozilla-central/source/ DXR] or [http://searchfox.org/ searchfox] to link to code directly) | ||
* attach debug output or output from a tool demonstrating the issue. <br /> | * attach debug output or output from a tool demonstrating the issue. <br /> | ||
8. '''IMPORTANT: mark the bug as a "security" bug to keep it confidential'''<br /> | 8. '''IMPORTANT: mark the bug as a "security" bug to keep it confidential''':<br /> | ||
[[File:Securitybug.png|800px|frameless|none]]<br /> | |||
9. Double check your entry then Submit the bug. <br /> | 9. Double check your entry then Submit the bug. <br /> | ||
Latest revision as of 09:37, 21 October 2019
Filing A Security Bug
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.
Reporting a security bug
The easiest way to report a security bug (and for it to be automatically considered for a bounty) is to following the process outlined below:
- Website bugs: https://www.mozilla.org/en-US/security/web-bug-bounty/
- Client (desktop, mobile etc): https://www.mozilla.org/en-US/security/client-bug-bounty/
NB, even if you don't wan't a bounty it helps us triage so use the forms above, and just indicate in the bug that you don't want it considered for bounty.
Steps to file a bug
If you can't use the process above, or you are simply unsure, you can also follow the manual process below:
1. Make sure you have a Bugzilla account. You can create a new account here.
2. Create a new bug on bugzilla.mozilla.org
3. Select the affected product:
4. Select the affected component (best guess is OK - we will re-assign as need be):
5. Add a bug summary
6. Add a bug description
7. Add as much information as possible:
- a "proof of concept" testcase
- point out vulnerable code (use DXR or searchfox to link to code directly)
- attach debug output or output from a tool demonstrating the issue.
8. IMPORTANT: mark the bug as a "security" bug to keep it confidential:
9. Double check your entry then Submit the bug.
Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write!
Tips: