|
|
| (35 intermediate revisions by 15 users not shown) |
| Line 1: |
Line 1: |
| Welcome to the Mozilla Security wiki.
| | “Individuals’ security and privacy on the Internet are |
| | fundamental and must not be treated as optional.” |
| | - [http://www.mozilla.org/en-US/about/manifesto/ Mozilla Manifesto Principle 4] |
|
| |
|
| === Security-related bugs ===
| | '''The Mozilla Security community provides leadership in security by building security features, testing software and systems, and leading industry standards to ensure that individuals retain the ability to make meaningful choices about security and privacy on the Internet. ''' |
| * [[Security Severity Ratings]]
| |
| * [http://www.mozilla.org/security/#For_Developers How to report a security issue]
| |
| * [[Security/FixMe|Want to fix a security bug? Here is a list of old thorny bugs you can take on.]]
| |
|
| |
|
| ===Engaging with Security===
| | This page documents the security-related activities for Mozilla and how to join us. |
| ====How To Find Us====
| |
| Lot's of options, we're here to help:
| |
| * [mailto:Security@mozilla.org Security@mozilla.org] - email us any questions, concerns, etc
| |
| * Bugzilla Keyword - '''sec-review-needed''' - We triage based on this keyword and will jump in to provide assistance
| |
| * '''#security''' on [https://wiki.mozilla.org/IRC IRC]
| |
| * File a security/privacy review request via this [https://wiki.mozilla.org/Security/Reviews/Review_Request_Form link]
| |
| * Attend a [[Security/Talks | Security Talk]] given by one of the security team
| |
|
| |
|
| ====Security reviews for new features/products/applications==== | | __TOC__ |
| ''Main Article: [[Security/Reviews]]'' | | |
| * Find past reviews by [https://wiki.mozilla.org/Category:SecReview Category:SecReview]
| | == Reporting Security Issues == |
| ====The Mozilla Secure Development Lifecycle ==== | | Mozilla relies on the security community to help secure our products and websites by reporting security issues. Our preference is to receive '''[[Security/Fileabug|bug reports]]''' via our bug tracking system Bugzilla, however [https://www.mozilla.org/security/#For_Developers emailing security@mozilla.org ] (preferably encrypted) is also an option. |
| * Understand the [[Security/Reviews/Secure Development Lifecycle | Secure Development Lifecycle]] used to secure our new features/products/applications
| | |
| * Information on Bugzilla and the [[Security/Reviews/Bugzilla Components| Security Assurance Component]] | | Details on the way we classify security bugs can be [[Security Severity Ratings|found here]]. |
| ====Security Bug Processes ====
| | |
| * [[Security/Bug_Approval_Process|Approval for Landing Security Bugs]] | | == Security at Mozilla == |
| * [[Security/Web_Bug_Rotation|Web Bug Verification Rotation]] | | === Who are we? === |
| | Security at Mozilla is distributed among the following teams: |
| | * [[SecurityEngineering|Security Engineering]] makes users of Firefox safer on the Internet. |
| | * [[Security/FoxSec|Security Operations]] protects the product infrastructure and builds security services. |
| | * Firefox Fuzzing finds vulnerabilities in Firefox. |
| | * [[Security/InfoSec|Security Assurance]] leads incident response, product security strategy, and risk management. |
|
| |
|
| ====Request a Security or Privacy Review ==== | | === Contacting Us === |
| * Complete the questions at the following page to provide the basic info to kickstart a security or privacy review | | The Mozilla security team is available via a number of channels: |
| * We'll create and link the corresponding wiki page within the [[Security/Radar|Security Radar]] | | * Via email |
| * [[Security/Reviews/Review Request Form | Security & Privacy Review Request Form]]
| | ** security@mozilla.org: to contact us privately or [https://www.mozilla.org/security/#For_Developers reporting security bugs] |
| ====[[Security/Radar|Security Radar]]====
| | ** dev-security@lists.mozilla.org: this is the best place to ask security questions that don't need to be private. You might also try searching this list for answers to your questions |
| | ** You can also find us on a number of security related mailing lists including W3C WebAppSec |
| | * Via the [https://matrix.to/#/!xSFwJMLGSLXLaSUrHr:mozilla.org?via=mozilla.org&via=matrix.org #security] channel on Mozilla's [[Matrix]] instance. |
|
| |
|
| {| class="wikitable collapsible collapsed" style="width: 100%"
| | '''Need a security review for Firefox feature/change? See [[Security/Testing]].''' |
| ! Unlinked Reviews
| |
| |-
| |
| |
| |
| * [[Security/Reviews/Mobile/AndroidSystemStorage| Android System Storage]]
| |
| * [[Security/Firefox/WebAPI/WebBattery| WebBattery]]
| |
| * [[Security/Reviews/BrowserIDCAPI| BrowserID C API]]
| |
| * [[Security/Reviews/crossoriginAttribute|Add crossorigin attribute]]
| |
| * [[Security/Reviews/Firefox10/SyncDialogue|Sync Dialogue]]
| |
| * [[Security/Reviews/JetPack2011-20/12 | JetPack 2011-10-12]]
| |
| * [[Security/Reviews/XHRnonpost| XHR non-post rewrite]]
| |
| * [[Security/Reviews/StubInstaller|Stub Installer]]
| |
| * [[Labs/Weave/Sync Client Security Review|Sync Client]]
| |
| * [[Firefox Sync/Weave 1.3b5 Client Security Review|Weave 1.3b5 Client]]
| |
| * [[Security/Reviews/DNSSEC-TLS|DNSSEC-TLS]]
| |
| * [[Security/Reviews/OWA-F1|Web Activities & F1]]
| |
| * [[Security/Reviews/ReviewNotes/MouseLock|MouseLock]]
| |
| * [[Security/Reviews/ReviewNotes/Joystick|Joystick]]
| |
| |}
| |
|
| |
|
| {| class="wikitable collapsible collapsed" style="width: 100%"
| | == Information for developers == |
| ! Unlinked Discussions
| | ===Security Bug Processes === |
| |- | | * [[Security/Firefox_security_bug_fixing|Guidelines for fixing a core-security bug in Firefox]] |
| | | | * [[Security/Bug_Approval_Process|Approval for Landing Security Bugs]] |
| * [[Security/Discussions/WebRTC|WebRTC]] | | * [[Security/Web_Bug_Rotation|Web Bug Verification Rotation]] |
| |} | | * [[Security/Firefox/Security_Bug_Triage_Process|Security Bug Triage Process]] |
| | * [[Security/Firefox/Security_Bug_Life_Cycle|Security Bug Life Cycle]] |
|
| |
|
| ===Security Feature Development=== | | == Contributing to the security of Mozilla products == |
| We build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments. Check out the [[SecurityEngineering]] page for more info!
| | There are a range of ways to contribute to security engineering at Mozilla. |
|
| |
|
| === Security Initiatives === | | === Developers === |
| | * Implement security features |
| | * Fix outstanding security bugs |
| | * Contribute to security feature development |
|
| |
|
| *[[Security/TeamEmbedding]]
| | === Security Testers === |
| *Prioritizing and driving non-feature work: [[Security/Driving]] | | * Test Firefox or Mozilla Websites as part of our bug bounty programs |
|
| |
|
| === Security Resources and Blogs === | | === Community === |
| | * Test & provide feedback on new security features |
| | * Improve security documentation |
|
| |
|
| ==== Mozilla Official Sites ====
| | == Mozilla Official Sites == |
| * [http://www.mozilla.org/security Mozilla Security Center] | | * [http://www.mozilla.org/security Mozilla Security Center] |
| * [http://developer.mozilla.org/en/Security Mozilla security developer docs] | | * [http://developer.mozilla.org/en/Security Mozilla security developer docs] |
| * [[CA|Mozilla CA Root Program]] | | * [[CA|Mozilla CA Root Program]] |
| * [http://blog.mozilla.com/security Mozilla Security blog] | | * [http://blog.mozilla.com/security Mozilla Security blog] |
| * [http://blog.mozilla.com/webappsec Mozilla WebApp Sec Blog]
| | * [https://infosec.mozilla.org/guidelines/ Security/Guidelines/] |
| * [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines Secure Coding Guidelines for Webapps] | |
| | |
| ==== Personal Security Related Blogs of Mozillians ====
| |
| * [http://blog.mozilla.com/ladamski Lucas Adamski's blog]
| |
| * [http://blog.sidstamm.com Sid Stamm's blog]
| |
| * [https://spartiates.wordpress.com/ Curtis Koenig's blog]
| |
| * [http://www.squarefree.com/ Jesse Ruderman's blog] ([http://www.squarefree.com/categories/fuzzing/ fuzzing entries], [http://www.squarefree.com/categories/security/ security entries])
| |
| * [http://blog.mozilla.com/imelven Ian Melven's Mozilla/Security blog]
| |
| * [http://blog.mozilla.com/decoder Christian Holler's blog (decoder)]
| |
| | |
| ==== Twitter Accounts of Security Mozillians ====
| |
| * [https://twitter.com/mozsec Mozilla Security]
| |
| * [https://twitter.com/mozwebsec Mozilla Web Security]
| |
| * [https://twitter.com/jruderman Jesse Ruderman]
| |
| * [https://twitter.com/curtisko Curtis Koenig] (all kinds of random stuff)
| |
| * [https://twitter.com/flamsmark Tom Lowenthal] (privacy)
| |
| * [https://twitter.com/securitae Lucas Adamski]
| |
| * [https://twitter.com/alexanderfowler Alex Fowler]
| |
| * [https://twitter.com/ygjb Yvan Boily]
| |
| * [https://twitter.com/dveditz Daniel Veditz]
| |
| * [https://twitter.com/gh_rooster Raymond Forbes]
| |
| * [https://twitter.com/openbuddha Al Billings] (but mostly Buddhist and Hackerspace tweets)
| |
| * [https://twitter.com/imelven Ian Melven]
| |
| * [https://twitter.com/kangsterizer Guillaume Destuynder]
| |
| * [https://twitter.com/jstevensen Joe Stevensen]
| |
| * [https://twitter.com/nth10sd Gary Kwong] (all sorts of stuff)
| |
| * [https://twitter.com/mozdeco Christian Holler (decoder)]
| |
| * [https://twitter.com/neoCrimeLabs Michael Henry (tinfoil)]
| |
| * [https://twitter.com/tanvihacks Tanvi Vyas]
| |
| * [https://twitter.com/psiinon Simon Bennetts (psiinon)]
| |
| * [https://twitter.com/matthewdfuller Matt Fuller (mfuller)]
| |
| * [https://twitter.com/0x7eff Jeff Bryner (jeff)]
| |
| | |
| ==== OWASP Projects and chapters ====
| |
| The Mozilla Security team is heavily involved with [https://www.owasp.org/ OWASP]:
| |
| * [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] - OWASP Chair
| |
| * [https://www.owasp.org/index.php/User:Curtis_Koenig Curtis Koenig] - [https://www.owasp.org/index.php/Louisville Louisville] Chapter leader
| |
| * [https://www.owasp.org/index.php/User:Mark_Goodwin Mark Goodwin] - [https://www.owasp.org/index.php/East_Midlands East Midlands] Chapter leader
| |
| * Raymond Forbes - [https://www.owasp.org/index.php/Seattle Seattle] Chapter leader
| |
| * [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ZAP] Project leader and [https://www.owasp.org/index.php/Manchester Manchester] Chapter leader
| |
| * [https://www.owasp.org/index.php/User:Yvan_Boily Yvan Boily] - [https://www.owasp.org/index.php/Vancouver Vancouver] Chapter leader
| |
| Mozilla Security team members also frequently talk at OWASP chapter meetings and conferences.
| |
| | |
| ==== Non-Mozilla Resources (blogs, news sites, twitter, tools) ====
| |
| * [[Security/OtherSecurityResources| Other Security Resources]]
| |
| | |
| <h3>Stuff that needs to be merged into this page properly</h3>
| |
| | |
| === Meeting Notes ===
| |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! Meetings
| |
| |-
| |
| |
| |
| * [[Security/Meetings/SecurityAssurance|Security Assurance]]
| |
| * [[Security/AppSecBiweekly|AppSec Bi Weelky]]
| |
| | |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! SecTeam Meetings 2012
| |
| |-
| |
| |
| |
| * [[Security/Meetings/2012-02-01|2012-02-01]]
| |
| * [[Security/Meetings/2012-01-25|2012-01-25]]
| |
| * [[Security/Meetings/2012-01-18|2012-01-18]]
| |
| * [[Security/Meetings/2012-01-11|2012-01-11]]
| |
| * [[Security/Meetings/2012-01-04|2012-01-04]]
| |
| |}
| |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! SecTeam Meetings 2011
| |
| |-
| |
| |
| |
| * [[Security/Meetings/2011-12-28|2011-12-28]]
| |
| * [[Security/Meetings/2011-12-21|2011-12-21]]
| |
| * [[Security/Meetings/2011-12-07|2011-12-14]]
| |
| * [[Security/Meetings/2011-12-07|2011-12-07]]
| |
| * [[Security/Meetings/2011-11-30|2011-11-30]]
| |
| * [[Security/Meetings/2011-11-23|2011-11-23]]
| |
| * [[Security/Meetings/2011-11-16|2011-11-16]]
| |
| * [[Security/Meetings/2011-11-09|2011-11-09]]
| |
| * [[Security/Meetings/2011-11-02|2011-11-02]]
| |
| * [[Security/Meetings/2011-10-26|2011-10-26]]
| |
| * [[Security/Meetings/2011-10-19|2011-10-19]]
| |
| * [[Security/Meetings/2011-10-12|2011-10-12]]
| |
| * [[Security/Meetings/2011-10-05|2011-10-05]]
| |
| * [[Security/Meetings/2011-09-28|2011-09-28]]
| |
| * No meeting on 9/14 (All Hands) or 9/21 (Fuzzing Work Week)
| |
| * [[Security/Meetings/2011-09-07|2011-09-07]]
| |
| * [[Security/Meetings/2011-08-31|2011-08-31]]
| |
| * [[Security/Meetings/2011-08-24|2011-08-24]]
| |
| * [[Security/Meetings/lifecycledisc|Life Cycle discussion]]
| |
| * [[Security/Meetings/2011-08-17|2011-08-17]]
| |
| * [[Security/Meetings/2011-08-10|2011-08-10]]
| |
| * [[Security/Meetings/2011-07-27|2011-07-27]]
| |
| * [[Security/Meetings/2011-07-20|2011-07-20]]
| |
| * [[Security/Meetings/2011-07-13|2011-07-13]]
| |
| * [[Security/Meetings/2011-07-06|2011-07-06]]
| |
| * [[Security/Meetings/2011-06-29|2011-06-29]]
| |
| * [[Security/Meetings/2011-06-22|2011-06-22]]
| |
| * [[Security/Meetings/2011-06-15|2011-06-15]]
| |
| * [[Security/Meetings/2011-06-08|2011-06-08]]
| |
| * [[Security/Meetings/2011-06-01|2011-06-01]]
| |
| |}
| |
| | |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! Joint Secteam-Infrasec Meetings 2012
| |
| |-
| |
| |
| |
| * [[Security/Meetings/2012-01-12|2012-01-12]]
| |
| |}
| |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! Joint Secteam-Infrasec Meetings 2011
| |
| |-
| |
| |
| |
| | |
| * [[Security/Meetings/2011-12-15|2011-12-15]]
| |
| * [[Security/Meetings/2011-11-17|2011-11-17]]
| |
| * [[Security/Meetings/2011-10-06|2011-10-06]]
| |
| * [[Security/Meetings/2011-09-08|2011-09-08]]
| |
| * [[Security/Meetings/2011-08-25|2011-08-25]]
| |
| * [[Security/Meetings/2011-08-11|2011-08-11]]
| |
| * [[Security/Meetings/2011-07-28|2011-07-28]]
| |
| * [[Security/Meetings/2011-06-16|2011-06-16]]
| |
| |}
| |
| |}
| |