Filing A Security Bug
Mozilla relies on the security community to help secure our products and websites by reporting security issues. This page provides information on how to use Bugzilla to submit a security issue.
Reporting a security bug
The easiest way to report a security bug (and for it to be automatically considered for a bounty) is to following the process outlined below:
- Website bugs: https://www.mozilla.org/en-US/security/web-bug-bounty/
- Client (desktop, mobile etc): https://www.mozilla.org/en-US/security/client-bug-bounty/
NB, even if you don't wan't a bounty it helps us triage so use the forms above, and just indicate in the bug that you don't want it considered for bounty.
Steps to file a bug
If you can't use the process above, or you are simply unsure, you can also follow the manual process below:
4. Select the affected component (best guess is OK - we will re-assign as need be):
5. Add a bug summary
6. Add a bug description
7. Add as much information as possible:
- a "proof of concept" testcase
- point out vulnerable code (use DXR or searchfox to link to code directly)
- attach debug output or output from a tool demonstrating the issue.
8. IMPORTANT: mark the bug as a "security" bug to keep it confidential:
9. Double check your entry then Submit the bug.
Note: bug description and comments can NOT be edited (for transparency & integrity purposes) so double check what you write!