Security/Champions
From MozillaWiki
< Security
Security Champions
- Security Champions are active members of a team that make help to make decisions about when to engage the Security Team
- Act as the "voice" of security for the given product or team
- Assist in the triage of security bugs for their team or area
Presentations about Security Champions
Expectations
- Participate in the security champions mailing list &
- Attend one of 2 monthly meetings
- Either the 2nd (AM PST) or 4th (PM PST) Tuesday of the month
- Assist in making security decisions for their team
- Low-Moderate security impact
- Empowered to make decisions
- Document decisions made in bugs or wiki
- High-Critical security impact
- Engage SA team for current review process
- Can always engage using sec-review ? flag on any bug
- Low-Moderate security impact
List of Security Champions
Area | Champion | Point of Contact |
---|---|---|
Labs/Foundation | Atul Varma | Mark Goodwin |
Marketplace | Andrew McKay | |
WebDev | Will Kahn-Greene | Frederik Braun |
Front End | Jared Wein | |
Matthew Noorenberghe | ||
Felipe Gomes | ||
Web Productions | Andrei Hajdukewycz | |
Persona | François Marier | |
PiCl | Brian Warner | |
Metro Firefox | Brian Bondy | |
Metro Firefox | Tim Abraldes | |
Metro Firefox | Matt Brubeck | |
Mobile | Jim Chen | Mark Goodwin |
Automation | Jonathan Griffin | Gary Kwong |
Automation | Dave Lawrence | Gary Kwong |
How to Become a Security Champion
- Review the information above to ensure you understand it
- Discuss with your team/area to so they know you intend to take on this role
- send email to curtisk with your name and area you wish to be a champion for
Other Types of Security Contributors
Contributor
- Regular contributor with an interest in security
- Participates in security review activities appropriate with skill level
- participates in public security discussions and IRC channel (#security)
Security Contributor (Bug Bounty Reporters/Patch submitters)
- All activities associated with a contributor
- Contributes security documentation and/or other related content [1]
- Files security bugs (may or may not be pursuing bounties)
- Submits patches for or reviews patches security bugs
- Access to non-self security-sensitive bugs on an as needed basis
Security Mentors
- Security Champions for Domains - an expert on a certain domain of security such as cryptography, javascript, memory models, fuzzing, etc
- willing to mentor those that have questions or need guidance in a more general way
Security Group
- Governed by "Mozilla Security Group Membership Policy" https://www.mozilla.org/projects/security/membership-policy.html
- Member of security group; has visibility into security bugs, and responsibilities to help address those concerns
- Should be able to speak with authority and drive action within the Mozilla Community to address areas of security concern and act as an escalation path for Security Champions and Security Mentors
- May also act as Security Contributor, Security Champion or Security Mentor depending on individual impetus
[1] Related content may include but is not limited to: Brown Bags, Conference Talks, MDN documentation, Security Review Documentation, Foundational Security Documents (Flow Diagrams, Threat Models, etc), Security Tool contributions, Vulnerability Defence Documentation