Security: Difference between revisions

“Individuals’ security and privacy on the Internet are 
fundamental and must not be treated as optional.”
  - Mozilla Manifesto Principle 4

The Mozilla Security community provides leadership in security by building security features, testing software and systems, and leading industry standards to ensure that individuals retain the ability to make meaningful choices about security and privacy on the Internet.

This page documents the security-related activities where Mozilla active, and how to join us.

Security-related bugs

• Security Severity Ratings
• How to report a security issue
• Want to fix a security bug? Here is a list of old thorny bugs you can take on.

Engaging with Security

How To Find Us

Lots of options, we're here to help:

• Security@mozilla.org - email us any questions, concerns, etc
• Bugzilla Keyword - sec-review-needed - We triage based on this keyword and will jump in to provide assistance
• #security on IRC
• File a security/privacy review request via this link
• Attend a Security Talk given by one of the security team

Security reviews for new features/products/applications

Main Article: Security/Reviews

• Find past reviews by Category:SecReview

The Mozilla Secure Development Lifecycle

• Understand the Secure Development Lifecycle used to secure our new features/products/applications
• Information on Bugzilla and the Security Assurance Component

Security Bug Processes

• Approval for Landing Security Bugs
• Web Bug Verification Rotation

Request a Security or Privacy Review

• Complete the questions at the following page to provide the basic info to kickstart a security or privacy review
• We'll create and link the corresponding wiki page within the Security Radar
• Security & Privacy Review Request Form

Security Radar

Security Feature Development

We build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments. Check out the SecurityEngineering page for more info!

Security Initiatives

• Security/TeamEmbedding
• Prioritizing and driving non-feature work: Security/Driving
• Open Mic Sessions

Security Resources and Blogs

Mozilla Official Sites

• Mozilla Security Center
• Mozilla security developer docs
• Mozilla CA Root Program
• Mozilla Security blog
• Mozilla WebApp Sec Blog
• Secure Coding Guidelines for Webapps

Personal Security Related Blogs of Mozillians

• Lucas Adamski's blog
• Sid Stamm's blog
• Curtis Koenig's blog
• Jesse Ruderman's blog (fuzzing entries, security entries)
• Ian Melven's Mozilla/Security blog
• Christian Holler's blog (decoder)
• Guillaume Destuynder's blog (kang)
• Julien Vehent's blog (ulfr)

Twitter Accounts of Security Mozillians

• Mozilla Security
• Mozilla Web Security
• Jesse Ruderman
• Curtis Koenig (all kinds of random stuff)
• Lucas Adamski
• Alex Fowler
• Yvan Boily
• Daniel Veditz
• Raymond Forbes
• Al Billings (but mostly Buddhist and Hackerspace tweets)
• Ian Melven
• Guillaume Destuynder
• Joe Stevensen
• Gary Kwong (all sorts of stuff)
• Christian Holler (decoder)
• Tanvi Vyas
• Simon Bennetts (psiinon)
• Jeff Bryner (jeff)
• Julien Vehent (ulfr)

OWASP Projects and chapters

The Mozilla Security team is heavily involved with OWASP:

• Curtis Koenig - Louisville Chapter leader
• Mark Goodwin - East Midlands Chapter leader
• Raymond Forbes - Seattle Chapter leader
• Simon Bennetts - ZAP and VWAD Project leader and Manchester Chapter leader
• Yvan Boily - Vancouver Chapter leader

Mozilla Security team members also frequently talk at OWASP chapter meetings and conferences.

Non-Mozilla Resources (blogs, news sites, twitter, tools)

• Other Security Resources

Stuff that needs to be merged into this page properly

Meeting Notes