MozillaWiki

Security/Web Bug Rotation: Difference between revisions

Page Discussion

Security/Web Bug Rotation (view source)

Revision as of 22:45, 29 April 2022

930 bytes added ,  29 April 2022
Adding boilerplate comment to add once the bug is fixed
(update bounty handling text)
(Adding boilerplate comment to add once the bug is fixed)
 
(19 intermediate revisions by 6 users not shown)
Line 15: Line 15:
{| class="wikitable"
{| class="wikitable"
|-
|-
! Day !! On-call !! IRC handle
! Day !! On-call !! Slack handle
|-  
|-  
|  Monday || Adam Muntner || adamm
|  Monday - Friday || Frida Kiriakos || Frida
|-
|  Tuesday || Julien Vehent || ulfr
|-  
|  Wednesday || Simon Bennetts || psiinon
|-
|  Thursday || Jonathan Claudius || claudijd
|-
Friday || April King || April
|}
|}


Line 35: Line 27:
# Determine if the issue reported is NEW, INVALID, or DUPLICATE
# Determine if the issue reported is NEW, INVALID, or DUPLICATE
# For '''NEW''' bugs
# For '''NEW''' bugs
## Find an owner (typically a dev or the product manager) to assign the bug to, and needinfo her/him. Change status to ASSIGNED.
## CC the Security POC and Backup on the website [https://docs.google.com/spreadsheets/d/14Gp6TPAibO7UkgJTXSeOIeFNMdfDbrUXQpqRFW3tDbg/edit#gid=0 contact list].  
##  Change status to ASSIGNED. Edit "Assigned To" and assign the bug to the Security POC.
## Needinfo flag the Security POC and their backup.  
## Set the right '''[https://bugzilla.mozilla.org/describekeywords.cgi keywords]'''
## Set the right '''[https://bugzilla.mozilla.org/describekeywords.cgi keywords]'''
### sec-{critical,high,moderate,low,other}, see [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#Severity_Ratings severity ratings]
### sec-{critical,high,moderate,low,other}, see [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#Severity_Ratings severity ratings]
### wsec-{authentication,cookie,xss,sqli,...}, see [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#Group_Keywords vulnerability types]
### wsec-{authentication,cookie,xss,sqli,...}, see [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#Group_Keywords vulnerability types]
## Edit "Assigned To" and check the box for "Reset Assignee to default"
### If the bug is rated sec-high or sec-critical, or if you believe the issue warrants it, cc the Site Owner and Business Owner to the bug, cc and needinfo flag them.
# If the verification shows that the issue is invalid, close the bug as '''INVALID'''
# If the verification shows that the issue is invalid, close the bug as '''INVALID'''
# For '''DUPLICATE''' bugs, set dupe against old bug. Set keywords & whiteboard for the new duped bug
# For '''DUPLICATE''' bugs, set dupe against old bug. Set keywords & whiteboard for the new duped bug


Follow up on a '''NEW''' bug until you get the assurance that it will be fixed, the urgency of which depends on the vulnerability and the target.
Follow up on a '''NEW''' bug until you get the assurance that it will be fixed, the urgency of which depends on the vulnerability and the target.
= Vulnerability Mitigation process =
When the reported vulnerability is mitigated, the engineer that did the work should change the bug status from '''NEW''' to '''FIXED'''. The engineer or bug bounty triager should then add a comment to the bug so the reporter knows what happens next. That comment should be
<blockquote>
Thanks very much for reporting this issue to us. Now that the issue is fixed, the bug bounty team will be reviewing your report over the upcoming weeks to make a determination of what if any award Mozilla will be granting for this report. It may take up to 3 weeks but know that we've not forgotten this ticket, we have a tracking system and a review cadence that will ensure that all potentially bounty eligible reports get reviewed and acted on.
</blockquote>


=Bounty=
=Bounty=
# Bounty flags are set automatically through the [https://bugzilla.mozilla.org/form.web.bounty Web Bounty Form].
# Bounty flags are set automatically through the [https://bugzilla.mozilla.org/form.web.bounty Web Bounty Form].
# Check the Web Bounty FAQ for whether the site and service are in scope for the bounty program.  
# Check the Web Bounty FAQ for whether the site and service are in scope for the bounty program.  
## If the site is not on the [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs eligible list] and the bug is not "extraordinary" please set the bug-bounty flag to "-" and needinfo flag :adamm.
## If the site is not on the [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs eligible list] and the bug is not "extraordinary" please note that in the whiteboard field (e.g. "[bounty-ineligible site]")
# If a submitter requests that a bug submitted outside the automated form have a bounty flag added, set the bounty flag to "?" and needinfo :adamm.
# If a submitter requests that a bug submitted outside the automated form have a bounty flag added, set the bounty flag to "?"


For '''NEW''' bugs
For '''NEW''' bugs
Line 58: Line 60:
== DUPLICATE ==
== DUPLICATE ==
If the bug is a duplicate of an existing bug
If the bug is a duplicate of an existing bug
# Set "sec-bounty" flag to "-" on new bug since it was a dupe.
# Set "sec-bounty" flag to "-" on new bug since it was a dupe (as long as it is duped to an OLDER bug).
# Set the new bug blocking the appropriate metabug(s)
# Set the new bug blocking the appropriate metabug(s)
#* For older bugs duped against that do not have the current flags
#* For older bugs duped against that do not have the current flags
Gene wood
Confirmed users
113

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1130202...1242145"