Security/Web Bug Rotation: Difference between revisions
(Adding Jonathan to the rotation) |
No edit summary |
||
| Line 13: | Line 13: | ||
| Tuesday || Julien Vehent || ulfr | | Tuesday || Julien Vehent || ulfr | ||
|- | |- | ||
| Wednesday || | | Wednesday || Julien Vehent || ulfr | ||
|- | |- | ||
| Thursday || Jonathan Claudius || claudijd | | Thursday || Jonathan Claudius || claudijd | ||
Revision as of 20:11, 4 December 2015
Web Bug Verification
Web security bugs are reported to security@Mozilla.org mailbox or in a Bugzilla component, a member of Mozilla Security verifies the reported vulnerability before passing the bug on to developers. This verification work is shared by several members of the security team. The following pages meant to document the procedures for verification and to serve as a reminder for those "on call for the week"as to the procedures that need to be completed. In general bugs will have an attempt to verify them in approximately 1 working day.
Rotation
| Day | On-call | IRC handle |
|---|---|---|
| Monday | Adam Muntner | adamm |
| Tuesday | Julien Vehent | ulfr |
| Wednesday | Julien Vehent | ulfr |
| Thursday | Jonathan Claudius | claudijd |
| Friday | April King | April |
Verification process
The procedure below is performed by the on-call individual.
- If the issue was reported to the security@ alias, create a bug for it
- Determine if the issue reported is NEW, INVALID, or DUPLICATE
- For NEW bugs
- Find an owner (typically a dev or the product manager) to assign the bug to, and needinfo her/him. Change status to ASSIGNED.
- Set the right keywords
- sec-{critical,high,moderate,low,other}, see severity ratings
- wsec-{authentication,cookie,xss,sqli,...}, see vulnerability types
- If the reporter is eligible for bounties (non-staff, non-sg), Set "sec-bounty" flag to "?"
- Block the appropriate meta-bug
- Edit "Assigned To" and check the box for "Reset Assignee to default"
- If the verification shows that the issue is invalid, close the bug as INVALID
- For DUPLICATE bugs, set dupe against old bug. Set keywords & whiteboard for the new duped bug
Follow up on a NEW bug until you get the assurance that it will be fixed, the urgency of which depends on the vulnerability and the target.
Bounty
Under bug 835475 (web-bounty), you will find a list metabugs for different Mozilla web properties. The list is ad-hoc and likely needs to be expanded. There is currently a catch all bug 836522 (other-bounty) to cover bugs that do not fit into any of the other trackers.
For NEW bugs
NEW
For NEW bugs that have been verified, simply set the "sec-bounty" flag to "?"
DUPLICATE
If the bug is a duplicate of an existing bug
- Set "sec-bounty" flag to "-" on new bug since it was a dupe.
- Set the new bug blocking the appropriate metabug(s)
- For older bugs duped against that do not have the current flags
- If the old bug has the attachment 'bounty non-qual' or similar then set sec-bounty- on the old bug
- If the old bug has the attachment 'bounty awarded X' or 'bounty paid X', then set sec-bounty+ on the old bug
- If no duplicate is found and the issue is not verified the bug shall be RESOLVED - INVALID and the whiteboard tag removed.