Infrastructure Incident Response and Disclosure
The Incident Response and Disclosure Policy is designed to handle security incidents and vulnerabilities within the infrastructure which includes servers, routers, web applications, and other infrastructure components. This policy will also over services offered by Mozilla.
It is important to note that there is some overlap between this policy the published Handling Mozilla Security Bugs. The "Handling Mozilla Security Bugs" doesn't address specific issues which could arise from infrastructure related security issues. This policy will address these issues and when possible we will attempt to make security related infrastructure bugs public. We will need to take great care in making these bugs public as we don't want to put the infrastructure at further risk by revealing information which could be used in a future attack. We will accomplish this by either marking specific comments as private or performing a formal public disclosure about the incident.
All infrastructure related incidents will be filed as a bug and will be marked as either “Infrastructure Related", "Web-Security", "Security-Sensitive Client Services Bug", or "Security-Sensitive" depending upon the event or source of the event. The owners of these groups will work on the remediation of the incident in coordination with the infrastructure security team. While the impact of the incident might not be fully understood as an investigation takes place, periodic outward facing updates will be released when there is new information to be communicated. Once the incident investigation has taken place an official disclosure will be performed. As part of this investigation it will be the goal of the infrastructure security group to determine the impact, exposure, and risk to the Mozilla's community.
The general policies for handing bug reports related to infrastructure security incidents and vulnerabilities are as follows:
- Full information about infrastructure security bugs will be restricted to a known group of people using the Bugzilla access control restrictions. This group can be expanded as necessary.
- Individual bug comments can be marked confidential indefinitely based on the content of the bug. A representation of the bug may be created for public viewing in lieu of providing public access to the original bug. This would occur in a situation where the entire bug contains sensitive information which divulges internal information that could be used in future attacks.
- Details of the event and any available postmortem details will be published unless publishing would put users or systems at risk.
Disclosure of incidents and vulnerabilities will typically be handed separately. Routine security practices, such as patches and upgrading services to Mozilla infrastructure, will not be publicized as security vulnerabilities unless a discovered successful compromise leverages a known weakness in an installed service or operating system. Further, the design and security controls of Mozilla's internal architecture will not be publicly available. Select portions of the network may be revealed if it is deemed relevant to be included within a public disclosure. However, security incidents or compromises should be communicated to the community. Depending upon the incident, some items within the bug could be be marked as private in order to ensure not only user privacy but the protection of Mozilla infrastructure. In cases where the entire bug is considered private, a formal disclosure will take place communicating the incident, exposure, and remediation actions taken to make sure the incident doesn't happen again.
It is important to note that Mozilla's infrastructure security will always err on the side of disclosure when it comes to security events dealing with the infrastructure especially when user account information is involved. This is not an exhaustive list, but under these circumstances public disclosure will be performed:
- Verified exposure of user data and/or privacy issues.
- Verified exposure of employee information.
- Technical security event which puts users as risk.
As part of the formal disclosure, a postmortem will be performed on all infrastructure security related incidents and details of this postmortem will be publicly available. We encourage our community to be involved and to understand the events within our infrastructure.
Changing this Policy
Similar to the Handling Mozilla Security Bugs, this document is a living item open to constant revision and updates. Changes to this document requires consensus from the Director of Infrastructure Security and/or VP of Engineering Operations. The VP of Engineering Operations and the Director of Infrastructure Security will have the final authority to make changes to this policy, after consulting with the involved parties.