Confirmed users
112
edits
Security/Web Bug Rotation: Difference between revisions
Adding boilerplate comment to add once the bug is fixed
(→Template: fixup) |
(Adding boilerplate comment to add once the bug is fixed) |
||
| (17 intermediate revisions by 5 users not shown) | |||
| Line 15: | Line 15: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Day !! On-call !! | ! Day !! On-call !! Slack handle | ||
|- | |- | ||
| Monday | | Monday - Friday || Frida Kiriakos || Frida | ||
|} | |} | ||
| Line 46: | Line 38: | ||
Follow up on a '''NEW''' bug until you get the assurance that it will be fixed, the urgency of which depends on the vulnerability and the target. | Follow up on a '''NEW''' bug until you get the assurance that it will be fixed, the urgency of which depends on the vulnerability and the target. | ||
= Vulnerability Mitigation process = | |||
When the reported vulnerability is mitigated, the engineer that did the work should change the bug status from '''NEW''' to '''FIXED'''. The engineer or bug bounty triager should then add a comment to the bug so the reporter knows what happens next. That comment should be | |||
<blockquote> | |||
Thanks very much for reporting this issue to us. Now that the issue is fixed, the bug bounty team will be reviewing your report over the upcoming weeks to make a determination of what if any award Mozilla will be granting for this report. It may take up to 3 weeks but know that we've not forgotten this ticket, we have a tracking system and a review cadence that will ensure that all potentially bounty eligible reports get reviewed and acted on. | |||
</blockquote> | |||
=Bounty= | =Bounty= | ||
# Bounty flags are set automatically through the [https://bugzilla.mozilla.org/form.web.bounty Web Bounty Form]. | # Bounty flags are set automatically through the [https://bugzilla.mozilla.org/form.web.bounty Web Bounty Form]. | ||
# Check the Web Bounty FAQ for whether the site and service are in scope for the bounty program. | # Check the Web Bounty FAQ for whether the site and service are in scope for the bounty program. | ||
## If the site is not on the [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs eligible list] and the bug is not "extraordinary" please | ## If the site is not on the [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs eligible list] and the bug is not "extraordinary" please note that in the whiteboard field (e.g. "[bounty-ineligible site]") | ||
# If a submitter requests that a bug submitted outside the automated form have a bounty flag added, set the bounty flag to "?" | # If a submitter requests that a bug submitted outside the automated form have a bounty flag added, set the bounty flag to "?" | ||
For '''NEW''' bugs | For '''NEW''' bugs | ||
| Line 60: | Line 60: | ||
== DUPLICATE == | == DUPLICATE == | ||
If the bug is a duplicate of an existing bug | If the bug is a duplicate of an existing bug | ||
# Set "sec-bounty" flag to "-" on new bug since it was a dupe. | # Set "sec-bounty" flag to "-" on new bug since it was a dupe (as long as it is duped to an OLDER bug). | ||
# Set the new bug blocking the appropriate metabug(s) | # Set the new bug blocking the appropriate metabug(s) | ||
#* For older bugs duped against that do not have the current flags | #* For older bugs duped against that do not have the current flags | ||