Security

“Individuals’ security and privacy on the Internet are 
fundamental and must not be treated as optional.”
  - Mozilla Manifesto Principle 4

The Mozilla Security community provides leadership in security by building security features, testing software and systems, and leading industry standards to ensure that individuals retain the ability to make meaningful choices about security and privacy on the Internet.

This page documents the security-related activities where Mozilla active, and how to join us.

Security-related bugs

• Security Severity Ratings
• How to report a security issue
• Want to fix a security bug? Here is a list of old thorny bugs you can take on.

Engaging with Security

How To Find Us

Lots of options, we're here to help:

• Security@mozilla.org - email us any questions, concerns, etc. Please submit bugs through [1], not email.
• #security on IRC
• File a security/privacy review request via this link
• Attend a Security Talk given by one of the security team

Security reviews for new features/products/applications

Main Article: Security/Reviews

• Find past reviews by Category:SecReview

The Mozilla Secure Development Lifecycle

• Understand the Secure Development Lifecycle used to secure our new features/products/applications
• Information on Bugzilla and the Security Assurance Component

Security Bug Processes

• Approval for Landing Security Bugs
• Web Bug Verification Rotation

Request a Security or Privacy Review

• Complete the questions at the following page to provide the basic info to kickstart a security or privacy review
• We'll create and link the corresponding wiki page within the Security Radar
• Security & Privacy Review Request Form

Security Feature Development

We build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments. Check out the SecurityEngineering page for more info!

Mozilla Official Sites

• Mozilla Security Center
• Mozilla security developer docs
• Mozilla CA Root Program
• Mozilla Security blog
• Secure Coding Guidelines for Webapps

Personal Security Related Blogs of Mozillians

• Lucas Adamski's blog
• Sid Stamm's blog
• Curtis Koenig's blog
• Jesse Ruderman's blog (fuzzing entries, security entries)
• Ian Melven's Mozilla/Security blog
• Christian Holler's blog (decoder)
• Guillaume Destuynder's blog (kang)
• Julien Vehent's blog (ulfr)
• Michal Purzynski's blog (michal`)
• Adam Muntner's blog (adamm)
• Jonathan Claudius' blog (claudijd)

Twitter Accounts of Security Mozillians

• Mozilla Security
• Mozilla Web Security
• Jesse Ruderman
• Daniel Veditz
• Raymond Forbes
• Al Billings (but mostly Buddhist and Hackerspace tweets)
• Guillaume Destuynder
• Gary Kwong (all sorts of stuff)
• Christian Holler (decoder)
• Tanvi Vyas
• Simon Bennetts (psiinon)
• Jeff Bryner (jeff)
• Julien Vehent (ulfr)
• Gene Wood (gene)
• Michal Purzynski (michal`)
• Adam Muntner (adamm)
• Jonathan Claudius (claudijd)

Former members, still Mozillians

• Curtis Koenig
• Lucas Adamski
• Alex Fowler
• Ian Melven
• Yvan Boily
• Joe Stevensen

OWASP Projects and chapters

The Mozilla Security team is heavily involved with OWASP:

• Mark Goodwin - East Midlands Chapter leader
• Raymond Forbes - Seattle Chapter leader
• Simon Bennetts - ZAP and VWAD Project leader and Manchester Chapter leader

Non-Mozilla Resources (blogs, news sites, twitter, tools)

• Other Security Resources