Security: Difference between revisions

← Older edit

Security (view source)

Revision as of 23:03, 12 March 2021

967 bytes added , 12 March 2021

Update link to Guidelines

Gene wood

Confirmed users

107

edits

@@ Line 1: / Line 1: @@
-==Mozilla Security:==
+ “Individuals’ security and privacy on the Internet are
+ fundamental and must not be treated as optional.”
+   - [http://www.mozilla.org/en-US/about/manifesto/ Mozilla Manifesto Principle 4]
-Welcome to the Mozilla Security wiki.  There is not much here yet so feel free to contribute.
+'''The Mozilla Security community provides leadership in security by building security features, testing software and systems, and leading industry standards to ensure that individuals retain the ability to make meaningful choices about security and privacy on the Internet. '''
-=== Meeting Notes ===
+This page documents the security-related activities for Mozilla and how to join us.
-[[Security/Meetings/2011-06-01]]
-[[Security/Meetings/2011-06-08]]
-=== Security-related bugs  ===
+__TOC__
-[[Security Severity Ratings]]
+== Reporting Security Issues ==
+Mozilla relies on the security community to help secure our products and websites by reporting security issues. Our preference is to receive '''[[Security/Fileabug|bug reports]]''' via our bug tracking system Bugzilla, however [https://www.mozilla.org/security/#For_Developers emailing security@mozilla.org ] (preferably encrypted) is also an option.
-[http://www.mozilla.org/security/#For_Developers How to report a security issue]
+Details on the way we classify security bugs can be [[Security Severity Ratings|found here]].
-[[Security/FixMe|Want to fix a security bug? Here is a list of old thorny bugs you can take on.]]
+== Security at Mozilla ==
+=== Who are we? ===
+Security at Mozilla is distributed among the following teams:
+* [[SecurityEngineering|Security Engineering]] makes users of Firefox safer on the Internet.
+* [[Security/FoxSec|Security Operations]] protects the product infrastructure and builds security services.
+* Firefox Fuzzing finds vulnerabilities in Firefox.
+* [[Security/InfoSec|Security Assurance]] leads incident response, product security strategy, and risk management.
-===Security reviews for new features/products===
+=== Contacting Us ===
-''Main Article: [[Security/Reviews]]''
+The Mozilla security team is available via a number of channels:
-====[[Security/Radar|Security Radar]]====
+* Via email
-* [[Security/Radar/Active|Active]]
+** security@mozilla.org: to contact us privately or [https://www.mozilla.org/security/#For_Developers reporting security bugs]
-* [[Security/Radar/Triage|Triage]]
+** dev-security@lists.mozilla.org: this is the best place to ask security questions that don't need to be private. You might also try searching this list for answers to your questions
-* [[Security/Radar/OffScope|Off Scope]]
+** You can also find us on a number of security related mailing lists including W3C WebAppSec
+* Via the [https://matrix.to/#/!xSFwJMLGSLXLaSUrHr:mozilla.org?via=mozilla.org&via=matrix.org #security] channel on Mozilla's [[Matrix]] instance.
-====Unlinked Reviews====
+'''Need a security review for Firefox feature/change? See [[Security/Testing]].'''
-* [[Labs/Weave/Sync Client Security Review|Sync Client]]
-* [[Firefox Sync/Weave 1.3b5 Client Security Review|Weave 1.3b5 Client]]
-* [[Firefox/Projects/AccountManager/SecurityReview|Account Manager]]
-===Security Discussions / Possible Features===
+== Information for developers ==
-* [[Security/Cookie Preferences]]
+===Security Bug Processes ===
-* [[Security/l20n]]
+* [[Security/Firefox_security_bug_fixing|Guidelines for fixing a core-security bug in Firefox]]
-* [[Security/Add-Ons Discussion]]
+* [[Security/Bug_Approval_Process|Approval for Landing Security Bugs]]
+* [[Security/Web_Bug_Rotation|Web Bug Verification Rotation]]
+* [[Security/Firefox/Security_Bug_Triage_Process|Security Bug Triage Process]]
+* [[Security/Firefox/Security_Bug_Life_Cycle|Security Bug Life Cycle]]
-===Security feature work===
+== Contributing to the security of Mozilla products ==
+There are a range of ways to contribute to security engineering at Mozilla.
-''Main article: [[Security/Features]]''
+=== Developers ===
+* Implement security features
+* Fix outstanding security bugs
+* Contribute to security feature development
-* [[Security/CSP|Content Security Policy]] proposal and implementation
+=== Security Testers ===
-* [[Security/STS|Strict Transport Security]] proposal to prevent network attacks on all-HTTPS sites
+* Test Firefox or Mozilla Websites as part of our bug bounty programs
-* [[Security/Origin|Origin proposal for CSRF and clickjacking mitigation]]  (i.e. anything that requires authentication of the origin of a request)
-* [[Security/ProcessIsolation|Process Isolation: Internal compartmentalization of Firefox architecture]]
-=== Security Initiatives ===
+=== Community ===
+* Test & provide feedback on new security features
+* Improve security documentation
-* The plugin problem.
+== Mozilla Official Sites ==
-** https://wiki.mozilla.org/Security:ThePluginProblem
+* [http://www.mozilla.org/security Mozilla Security Center]
+* [http://developer.mozilla.org/en/Security Mozilla security developer docs]
-===Mozilla Security resources and blogs ===
+* [[CA|Mozilla CA Root Program]]
+* [http://blog.mozilla.com/security Mozilla Security blog]
-[http://www.mozilla.org/security Mozilla Security Center]
+* [https://infosec.mozilla.org/guidelines/ Security/Guidelines/]
-[http://developer.mozilla.org/en/Security Mozilla security developer docs]
-[http://blog.mozilla.com/security Mozilla Security blog]
-[http://blog.mozilla.com/ladamski Lucas Adamski's blog]
-[http://blog.sidstamm.com Sid Stamm's blog]
-[http://cslyon.net Chris Lyon's blog]
-===Stuff that needs to be merged into this page properly===
-* [[Security:Strawman Model]]
-* [[Security:Security Checks In Glue]] &mdash; a possible security model
-* [[Security:Scattered Security Checks]] &mdash; a possible security model
-* [[Security:Wrapper-based Checks]] &mdash; a possible security model
-* [[Security:Bibliography]]
-* [[Security:EV]] &mdash; summary about EV certification
-* [[Image:Intro_to_Mozilla_Metrics.pdf]] Draft discussion of Security Metrics at Mozilla