Security/Champions

From MozillaWiki
Jump to: navigation, search

Security Champions

  • Security Champions are active members of a team that make help to make decisions about when to engage the Security Team
  • Act as the "voice" of security for the given product or team
  • Assist in the triage of security bugs for their team or area

Presentations about Security Champions

Expectations

  • Participate in the security champions mailing list &
  • Attend one of 2 monthly meetings
    • Either the 2nd (AM PST) or 4th (PM PST) Tuesday of the month
  • Assist in making security decisions for their team
    • Low-Moderate security impact
      • Empowered to make decisions
      • Document decisions made in bugs or wiki
    • High-Critical security impact
    • Engage SA team for current review process
    • Can always engage using sec-review ? flag on any bug

List of Security Champions

Area Champion Point of Contact
Labs/Foundation Atul Varma Mark Goodwin
Marketplace Andrew McKay
WebDev Will Kahn-Greene Frederik Braun
Front End Jared Wein
Matthew Noorenberghe
Felipe Gomes
Web Productions Andrei Hajdukewycz
Persona François Marier
PiCl Brian Warner
Metro Firefox Brian Bondy
Metro Firefox Tim Abraldes
Metro Firefox Matt Brubeck
Mobile Jim Chen Mark Goodwin
Automation Jonathan Griffin Gary Kwong
Automation Dave Lawrence Gary Kwong

How to Become a Security Champion

  1. Review the information above to ensure you understand it
  2. Discuss with your team/area to so they know you intend to take on this role
  3. send email to curtisk with your name and area you wish to be a champion for

Other Types of Security Contributors

Contributor

  • Regular contributor with an interest in security
  • Participates in security review activities appropriate with skill level
  • participates in public security discussions and IRC channel (#security)

Security Contributor (Bug Bounty Reporters/Patch submitters)

  • All activities associated with a contributor
  • Contributes security documentation and/or other related content [1]
  • Files security bugs (may or may not be pursuing bounties)
  • Submits patches for or reviews patches security bugs
  • Access to non-self security-sensitive bugs on an as needed basis

Security Mentors

  • Security Champions for Domains - an expert on a certain domain of security such as cryptography, javascript, memory models, fuzzing, etc
  • willing to mentor those that have questions or need guidance in a more general way

Security Group

    • Governed by "Mozilla Security Group Membership Policy" https://www.mozilla.org/projects/security/membership-policy.html
    • Member of security group; has visibility into security bugs, and responsibilities to help address those concerns
    • Should be able to speak with authority and drive action within the Mozilla Community to address areas of security concern and act as an escalation path for Security Champions and Security Mentors
    • May also act as Security Contributor, Security Champion or Security Mentor depending on individual impetus

[1] Related content may include but is not limited to: Brown Bags, Conference Talks, MDN documentation, Security Review Documentation, Foundational Security Documents (Flow Diagrams, Threat Models, etc), Security Tool contributions, Vulnerability Defence Documentation