Changes

Jump to: navigation, search

Security/FirefoxOperations

154 bytes removed, 17:18, 10 February 2017
no edit summary
= Firefox Services & Operations Security =
The CloudSec FoxSec team is tasked with securing core Firefox services operated by the Cloud Firefox Services Engineering and Operations organization at Mozilla.
[[File:Foxsec1024.png|300px400px|right]]
== Contact ==
|-
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.1+TDS&quot; <span style="color:white;">'''1 HIGH'''<br />'''4 MEDIUM'''<br />'''6 5 LOW'''<br /></span>]
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.2+fraud+detection&quot; <span style="color:white;">'''2 HIGH'''<br />'''4 3 MEDIUM'''<br />'''3 5 LOW'''<br /></span>]| style="background-color: #4a6785ffd351;"|[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.3+identity+management&quot; <span style="color:whiteblack;">'''1 HIGH'''<br />'''2 MEDIUM'''<br /></span>]
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.4+infra+hardening&quot; <span style="color:white;">'''6 7 MEDIUM'''<br />'''6 8 LOW'''<br /></span>]
| style="background-color: #4a6785;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.2+monitor+external+threats&quot; <span style="color:white;">'''1 LOW'''<br /></span>]
External audits
|-
| style="background-color: #ffd351;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.1+risk+assessment&quot; <span style="color:black;">'''3 MEDIUM'''<br />'''3 LOW'''<br /></span>]
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.1+risk+assessment&quot; <span style="color:white;">'''1 HIGH'''<br />'''4 MEDIUM'''<br />'''4 LOW'''<br /></span>]| style="background-color: #d04437;"|[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.2+appsec+baseline&quot; <span style="color:white;">'''4 2 HIGH'''<br />'''5 8 MEDIUM'''<br />'''3 6 LOW'''<br /></span>]
| style="background-color: #ffd351;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.1+signature&quot; <span style="color:black;">'''2 HIGH'''<br />'''1 MEDIUM'''<br />'''4 1 LOW'''<br /></span>]
| style="background-color: #ffd351;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.3+security+communication&quot; <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br />'''4 6 LOW'''<br /></span>]
| style="background-color: #4a6785;"|
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.4+bug+bounty&quot; <span style="color:white;">'''1 2 LOW'''<br /></span>]| style="background-color: #4a6785ffd351;"|[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.3+external+audits&quot; <span style="color:whiteblack;">'''1 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>]
|}
== Strategy ==
 
=== 1. Improve operational security of the core infrastructure ===
* [ ] X-Frame-Options
* [ ] X-XSS-Protection
* [ ] Host user uploaded content on a separate domain (e.g. FxA avatar images on firefoxcontent.com, bug attachments on bug<bug ID>.bmoattachments.org)
Data rules
Public Endpoints:
* search.services.mozilla.com
 
In Bounty Scope? Yes
=== Addons.mozilla.org ===
* versioncheck-bg.addons.mozilla.org
* versioncheck.addons.mozilla.org
 
In Bounty Scope? Yes
=== Product Delivery ===
* download-installer.cdn.mozilla.net
* download.mozilla.org
 
In Bounty Scope? Yes
=== AUS/Balrog ===
* aus.mozilla.org
In Bounty Scope? Yes=== Crash reports (Socorro) ===Code: https://github.com/mozilla/socorro/ Public Endpoints:* crash-reports-xpsp2.mozilla.com* crash-reports.mozilla.com* crash-stats.mozilla.com
=== Firefox Accounts ===
* profile.accounts.firefox.com
* verifier.accounts.firefox.com
 
In Bounty Scope? Yes
=== Firefox Sync ===
* *.$region.sync.services.mozilla.com
* token.services.mozilla.com
 
In Bounty Scope? Yes
 
=== Firefox Hello ===
Code: [https://github.com/mozilla-services/loop-server loop-server]
 
Public Endpoints:
* hello.firefox.com
* loop.services.mozilla.com
 
In Bounty Scope? Yes
=== Location (MLS) ===
* location.services.mozilla.com
* location-leaderboard.services.mozilla.com
 
In Bounty Scope? Yes
=== Marketplace.firefox.com ===
* receiptcheck.marketplace.firefox.com
* static.marketplace.firefox.com
 
In Bounty Scope? Yes
=== Push ===
* updates.push.services.mozilla.com
In Bounty Scope? Yes=== Firefox Settings (Kinto) ===Code: https://github.com/Kinto/kinto
=== Security Settings (Kinto) ===Public Endpoints:Code: TBD* firefox.settings.services.mozilla.com
Public Endpoints=== Pageshot ===Code:* settingshttps://github.com/mozilla-services.mozilla.com/pageshot/
In Bounty Scope? NoPublic Endpoints: pageshot.net
=== Shield / Normandy ===
Code:
* [https://github.com/mozilla/normandy normandy]
Public Endpoints: TBD
In Bounty Scope? NoPublic Endpoints: self-repair.mozilla.org
=== Telemetry ===
* sql.telemetry.mozilla.org
* metrics.services.mozilla.com
 
In Bounty Scope? Yes
=== Test Pilot ===
* http://testpilot.firefox.com/
In Bounty Scope? Yes === Tiles /Pingcenter ===
Code: [https://github.com/mozilla/splice splice]
* tiles.cdn.mozilla.net
* tiles.services.mozilla.com
 
In Bounty Scope? Yes
=== TLS Observatory ===
Public Endpoints:
* tls-observatory.services.mozilla.com
 
In Bounty Scope? No
=== Tracking Protection ===
* shavar.services.mozilla.com
* tracking.services.mozilla.com
 
In Bounty Scope? Yes
 
=== Everything.me ===
In Bounty Scope? No
 
=== Find My Device ===
Code: [https://github.com/mozilla-services/FindMyDevice find my device]
 
In Bounty Scope? No
Ulfr
Confirm
529
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1162627"

Navigation menu