Am I in the right place?

The Security Assurance team provides security and privacy reviews for any new product feature, application or service created by Mozilla. These reviews are required before the new code is launched. We have many security reviews each quarter; it is best to file a security review request at the beginning of your project.

What happens during the security & privacy review?

The Security Assurance team will review the design and code to identify security vulnerabilities that could place users or the application/system at risk. In addition we review handling of user data to ensure the data is protected with technical controls and handled in line with our privacy principles. Also, don't hesitate to ask us questions during any point of code development. You can reach our team at security@mozilla.com

Security Assurance Security Review Request

You have a few options to engage the Security Assurance team.

1. Bug Review security / privacy guidance needed within a bug
   • Simply use the flag "sec-review" to "?", anyone can nominate an item they feel we should review.
   • This automatically adds the bug to our triage and we'll soon jump on the bug to assist as needed
   • If an urgent response is needed for an emergency please notify Curtis Koenig (curtisk) and he will attempt to expidite.
   • Once triaged and accepted for review a requestee will be assigned from the security team (visible on the bug)
   • A tracking bug will be filled in the "Security Assurance:Security Review" component to document our activities and for metrics.
     • The security bug will then block the implementation bug until the review is completed.
   • If a review is deemed not necessary the flag will be set back to none

1. For items without a bug or early in planning stages
   • File a new bug (via the link below) within Bugzilla for a review request.
   • Assign the bug to Product: Mozilla.org (under Other) and Security Assurance: Review Needed.
     
     Here is a direct bugzilla link <- IMPORTANT: Please use this url. It populates important data into the bug for tracking purposes. Without this data the request will get lost in bugzilla.
     
     
   • Please copy the questions below into the bug and answer them to help us properly handle your request.

1. For Vendor reviews
   • Please file a bug for a Vendor Security Review using this [vendor%20name&status_whiteboard=[pending%20secreview]&target_milestone=---&version=other direct bugzilla link]. The vendor should respond to the questions below and this information should be added to the bug. In some situations particular questions may be not applicable to the vendor/system.

Questions to Address within Request Body

Security Assurance Review Request

1. Who is/are the point of contact(s) for this review?
2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
4. Does this request block another bug? If so, please indicate the bug number
5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
6. To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?
7. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
   • Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
   • Are there any portions of the project that interact with 3rd party services?
   • Will your application/service collect user data? If so, please describe
8. If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
9. Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.

Security Assurance Vendor Review Request

The following basic questions are used to begin the security assessment of a particular vendor that will interact with Mozilla.

1. Overall
   • Please describe the overall purpose of the system and how Mozilla data will be integrated
2. Security Management
   • Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.
   • Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?
   • How do you protect Mozilla data that will be stored on your servers or within your applications?
   • How do you prevent other customers of your service from obtaining access to data provided by Mozilla?
   • What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?
   • Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.
   • What other large engagements/clients have you supported with this application?
3. Technical Design
   • Do you support full SSL communication for all inbound and outbound communications?
   • Describe the technology stack of the application and infrastructure.
   • What options do your support for authentication?
     • username/password
     • certificate based authentication
     • secret token
   • Do you use third party servers or do you host the servers yourself?
   • Do you use any third party services or communicate with any third parties from this application?
4. Security Verification
   • Will testing of the running application be possible?
   • Will source code for their application be available?