Security

As we work on WebExtensions and the code is pushed out into mozilla-central, there will be security bugs. This page discusses how we'll priortise those bugs from a code and bounty point of view.

Relevant WebExtensions security bugs. Because of permissions, you might not be able to see all the bugs in there.

Classification of bugs

• anything that affects Firefox users without a WebExtension installed (for example a web page can access a WebExtension API)
• anything that affects Firefox users with a WebExtension installed that has a bad security outcome
  • a bug in innocent WebExtensions that lets evil web pages hack users through the extension (e.g. missing wrappers)
  • something that allows an evil WebExtension to hack Firefox with powers it shouldn't have
• anything that affects Firefox users with a WebExtension installed and is about stuff within WebExtensions that we haven't completed yet or claim to have completed (for example the alarms permission) but doesn't really affect users data or system