Security/Fileabug

From MozillaWiki
Jump to: navigation, search

Filing A Security Bug

Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.

Reporting a security bug

The easiest way to report a security bug (and for it to be automatically considered for a bounty) is to following the process outlined below:

NB, even if you don't wan't a bounty it helps us triage so use the forms above, and just indicate in the bug that you don't want it considered for bounty.

Steps to file a bug

If you can't use the process above, or you are simply unsure, you can also follow the manual process below:

1. Make sure you have a Bugzilla account. You can create a new account here.
2. Create a new bug on bugzilla.mozilla.org
3. Select the affected product:

Productchoice.png

4. Select the affected component (best guess is OK - we will re-assign as need be):

Componentchoice.png

5. Add a bug summary
6. Add a bug description
7. Add as much information as possible:

  • a "proof of concept" testcase
  • point out vulnerable code (use DXR or searchfox to link to code directly)
  • attach debug output or output from a tool demonstrating the issue.

8. IMPORTANT: mark the bug as a "security" bug to keep it confidential:

Securitybug.png

9. Double check your entry then Submit the bug.

Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write!

Tips: