Security/Firefox/Security Bug Life Cycle/Hall of Fame

From MozillaWiki
Jump to: navigation, search
Updating the Client Bug Bounty Hall of Fame

The Client Bug Bounty Hall of Fame is located at https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/ This wiki page is about how to update it.

The HOF lives in https://github.com/mozilla/foundation-security-advisories and the script to update it is there as well. Grab that repo.

Using a bugzilla API key, run 

./update_hof.py -a <apikey> -y <year> -q <quarter> -f bug-bounty-hof/client.yml

It will remind you that you need to assign hof+ flags to bugs that should receive it. Kill the script, copy that link, go assign the flags, and then come back and re-run it.

This will take a long time, because it needs to look at every security bug. When it's done, it will:

  1. Prepend the new credit entries to the client.yml file
  2. Edit the update_hof.py script to contain any new credit mappings that should be present
  3. Produce a debuglog.<timestamp>.log file.

Next we're going to double check things. You should:

  • git diff the client.yml file looking for any unusual entries (e.g. 'Anonymous' or shared credit entries)
  • grep -v range debuglog.<timestamp>.log to look at the bugs that resulted in credit entries. This allows you to map credit entries from the yml file to bugs for checking.
  • Review these bugs.
    • If you gave a hof+ flag to a bug, do you see it here? (It should have a 'bounty-' indicator.)
    • Do any of these bugs have a special credit field from the bug? A shared credit?
    • Are any of them marked "do not publish"? Double check they shouldn't be published.

After that, commit it to a branch, push it (you can push the branch to the public repo), and submit a pull request for Dan or Tom to review.

(If you want, you can run ./update_hof.py --sort-credit-entries in a second commit and copy-paste replace the existing variables in the script to sort them nicely.)

Special Note

For really weird implementation purposes, in order to run this script, you need access to Bug 1622495. If you can't view that bug, you're not going to be able to run the script.

Historical Note

In early 2020 Tom re-generated the entire Client Hall of Fame from 2010 to 2019. It involved a lot of manual work, and porting names across that disappeared. There is a doitall option buried in the script. You should not use it. It will not produce a Hall of Fame that is identical to the one present - a lot of manual touch-ups had to be made. Going forward we should update it a quarter at a time.

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Firefox/Security_Bug_Life_Cycle/Hall_of_Fame&oldid=1228400"