Security

“Individuals’ security and privacy on the Internet are 
fundamental and must not be treated as optional.”
  - Mozilla Manifesto Principle 4

The Mozilla Security community provides leadership in security by building security features, testing software and systems, and leading industry standards to ensure that individuals retain the ability to make meaningful choices about security and privacy on the Internet.

This page documents the security-related activities where Mozilla active, and how to join us.

Security-related bugs

• Security Severity Ratings
• How to report a security issue
• Want to fix a security bug? Here is a list of old thorny bugs you can take on.

Engaging with Security

How To Find Us

Lots of options, we're here to help:

• Security@mozilla.org - email us any questions, concerns, etc. Please submit bugs through [1], not email.
• #security on IRC
• File a security/privacy review request via this link
• Attend a Security Talk given by one of the security team

Security reviews for new features/products/applications

Main Article: Security/Reviews

• Find past reviews by Category:SecReview

The Mozilla Secure Development Lifecycle

• Understand the Secure Development Lifecycle used to secure our new features/products/applications
• Information on Bugzilla and the Security Assurance Component

Security Bug Processes

• Approval for Landing Security Bugs
• Web Bug Verification Rotation

Request a Security or Privacy Review

• Complete the questions at the following page to provide the basic info to kickstart a security or privacy review
• We'll create and link the corresponding wiki page within the Security Radar
• Security & Privacy Review Request Form

Security Radar

Unlinked Reviews
Android System Storage WebBattery BrowserID C API Add crossorigin attribute Sync Dialogue JetPack 2011-10-12 XHR non-post rewrite Stub Installer Sync Client Weave 1.3b5 Client DNSSEC-TLS Web Activities & F1 MouseLock Joystick

Unlinked Discussions
WebRTC

Security Feature Development

We build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments. Check out the SecurityEngineering page for more info!

Security Initiatives

• Security/TeamEmbedding
• Prioritizing and driving non-feature work: Security/Driving
• Open Mic Sessions
• Security/Training

Security Resources and Blogs

Mozilla Official Sites

• Mozilla Security Center
• Mozilla security developer docs
• Mozilla CA Root Program
• Mozilla Security blog
• Mozilla WebApp Sec Blog
• Secure Coding Guidelines for Webapps

Personal Security Related Blogs of Mozillians

• Lucas Adamski's blog
• Sid Stamm's blog
• Curtis Koenig's blog
• Jesse Ruderman's blog (fuzzing entries, security entries)
• Ian Melven's Mozilla/Security blog
• Christian Holler's blog (decoder)
• Guillaume Destuynder's blog (kang)
• Julien Vehent's blog (ulfr)
• Michal Purzynski's blog (michal`)
• Adam Muntner's blog (adamm)

Twitter Accounts of Security Mozillians

• Mozilla Security
• Mozilla Web Security
• Jesse Ruderman
• Yvan Boily
• Daniel Veditz
• Raymond Forbes
• Al Billings (but mostly Buddhist and Hackerspace tweets)
• Guillaume Destuynder
• Joe Stevensen
• Gary Kwong (all sorts of stuff)
• Christian Holler (decoder)
• Tanvi Vyas
• Simon Bennetts (psiinon)
• Jeff Bryner (jeff)
• Julien Vehent (ulfr)
• Gene Wood (gene)
• Michal Purzynski (michal`)
• Adam Muntner (adamm)

Former members, still Mozillians

• Curtis Koenig
• Lucas Adamski
• Alex Fowler
• Ian Melven

OWASP Projects and chapters

The Mozilla Security team is heavily involved with OWASP:

• Curtis Koenig - Louisville Chapter leader
• Mark Goodwin - East Midlands Chapter leader
• Raymond Forbes - Seattle Chapter leader
• Simon Bennetts - ZAP and VWAD Project leader and Manchester Chapter leader
• Yvan Boily - Vancouver Chapter leader

Mozilla Security team members also frequently talk at OWASP chapter meetings and conferences.

Non-Mozilla Resources (blogs, news sites, twitter, tools)

• Other Security Resources

Stuff that needs to be merged into this page properly

Meeting Notes

Meetings

Security Assurance AppSec Bi Weelky SecTeam Meetings 2012 2012-02-01 2012-01-25 2012-01-18 2012-01-11 2012-01-04 SecTeam Meetings 2011 2011-12-28 2011-12-21 2011-12-14 2011-12-07 2011-11-30 2011-11-23 2011-11-16 2011-11-09 2011-11-02 2011-10-26 2011-10-19 2011-10-12 2011-10-05 2011-09-28 No meeting on 9/14 (All Hands) or 9/21 (Fuzzing Work Week) 2011-09-07 2011-08-31 2011-08-24 Life Cycle discussion 2011-08-17 2011-08-10 2011-07-27 2011-07-20 2011-07-13 2011-07-06 2011-06-29 2011-06-22 2011-06-15 2011-06-08 2011-06-01 Joint Secteam-Infrasec Meetings 2012 2012-01-12 Joint Secteam-Infrasec Meetings 2011 2011-12-15 2011-11-17 2011-10-06 2011-09-08 2011-08-25 2011-08-11 2011-07-28 2011-06-16