Contribute/Security Assurance

From MozillaWiki
Jump to: navigation, search
Ambox outdated.png THIS PAGE MAY BE OUTDATED
This article is in parts, or in its entirety, outdated. Hence, the information presented on this page may be incorrect, and should be treated with due caution until this flag has been lifted. Help by editing the article, or discuss its contents on the talk page.


Michael Coates

Identify Community

Q: Can you identify all of the contributors on your team (both paid-staff and volunteer-staff)?

A: Yvan Boily, Raymond Forbes, Guillaume Destuynder, Joe Stevensen, Mark Goodwin, Eric Parker, David Chan, Simon Bennetts, Adam Muntner, Jesse Ruderman, Paul Theriault, Gary Kwong, Daniel Veditz, Michael Henry

Suggestion: Use the contributor directory to help. Communicate through your team's channels and encourage people to sign up and group themselves with a common team tag. If you assign a group tag to all contributors on your project, the Mozillians dashboard will track the size of that group and will also allow you to easily export the contact information for group members. You can export these contacts to ensure all your contributors are signed up.


  • Recommend team members register themselves [done]
  • Recommend that team members add the "security assurance" tag

Define Contribution Opportunities

Q: Can you point someone interested in contributing to your project to a list of available contribution opportunities?

A: Mozilla Web Bounty Program link. There are also plans to publish our security verification guide and steps to get involved in the verification of new web applications. More info coming on this.

Suggestion: Look at what your team's needs are and what gaps you have in staffing to come up with a list of contribution opportunities. Capture those on a wiki page, in bugs, as role descriptions in Jobvite or whatever makes sense for your community.


  • Skills gap analysis [eta: early q3]
  • Contribution opportunities write-ups [eta: May 28]

Map Contribution Paths

Q: Are there clearly understood steps someone can follow to go from knowing nothing about your project to successfully contributing?

A: Mozilla Web Bounty Program FAQ

Suggestion: In addition to just documenting these steps, look for a simple 5-minute task that someone can take to get started (for example, signing up for Bugzilla if they are interested in coding) and also figure out where in the process you can add a mentor to help people.


  • Document Security Reviews (what tasks should be performed)
    • Document Security Review Tasks (what steps need to be taken for each task of a security review)
    • Document QA / Peer review processes
  • Identify 10 "Good First Bug" security review requests
    • Identify mentors for these bugs

Establish Goals and Metrics

Q: Can you measure participation or contributors today? If so, what metrics can you track? What goal or metric would you like to achieve for Q1? Alternatively, what metrics would you like to get in place for Q1?

A: We are currently able to track bug submitters to the bounty program.

Suggestion: Write down what you think would be helpful to track even if it isn't possible to get that data today. We'll work on implementing dashboards when we know what data we want.