Friends/Infrasec

Guidelines for Infrastructure Security

Mozilla Privacy Principles

No Surprises

We will always be open about the security of our environments, however we may withhold information during the resolution of an incident in order to protect the security and privacy of our users. While we will be open about the nature of an incident and the impact to our users, we will withhold details that are operationally sensitive, or have an impact to the privacy or security of others. Our disclosure of information will be performed in accordance with our disclosure policy We will make our security review work available to the public in a reasonable time frame from its completion. We will disclose the nature of vulnerabilities that are identified in our systems both by Mozilla personnel and by the community. When there is an incident that could have an impact to the privacy or security of our users we will inform them as soon as possible, to the extent that such disclosure doesn't place our users at additional risk.

Real Choices

Our team will work to ensure that the security controls that we mandate are clearly documented so that our end users can learn more about how we protect their information. For high-risk services we will produce easy to comprehend security documentation to allow end users to determine what, if any, risks are presented by using Mozilla services.

Sensible Settings

Our team will recommend security configurations for applications that best represent the interests of our users as well as our services. Where it is meaningful, we will work to ensure that our applications make these settings available to users in a way that is easy to manage and understand.

Limited Data

In order to monitor for attacks and maintain the continued security of our systems, the infrastructure security team must collect information about the interactions our users have with our hosted environments. Our team commits to limit the retention of this information to the data needed to continue ongoing operational security monitoring and security verification practices. In any case where a service requires data beyond that covered by our privacy policy to operate, we will clearly identify and detail the data, and how it will be used. In the case where we need the assistance of our users to conduct or complete a security assessment, we will adhere to the principles of our privacy policies and only collect information that our users are willing to contribute.

User Control

The infrastructure security team will work to ensure that as Mozilla applications and services are developed the concepts of privacy and security are applied in favor of the user. We will strive to ensure that services implemented to act on behalf of the user utilize only the data strictly required to function and treat privacy or user control issues with the same significance as conventional security issues.

Trusted Third Parties

Mozilla frequently depends on the services of third parties to function as a business, and to deliver services to our end users. We will ensure that these third parties understand our position on end user privacy, and work with the privacy team to clearly identify and communicate areas where there are differences.