Security/FirefoxOperations
Firefox Operations Security
Firefox Operations Security is responsible for application & operations security for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service.
Contact
Email us at secops@mozilla.com.
To report a security issue on a given site, use the bug bounty form as explained here.
To tell us about a new service create a New Service issue.
Contents
Product Lines
- Firefox Accounts
- Addons.mozilla.org
- Browser services (sync, push, normandy, remote settings, balrog, product delivery, etc.)
- Data services (telemetry, pioneer, taar, prio, etc.)
- Web presence of Premium services (FxSend, FxMonitor, FPN website, etc.)
- Release Engineering (taskcluster, shipit, *.build.m.o, build infra, etc.)
- Developer Services (phabricator, lando, bugzilla, sentry, crash reports, etc.)
Scope
Application security
Responsibility for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service.
- Risk assessments
- Security Reviews
- Manual and automated testing
- Review risks w/ product owners
- Security incident management
The application security group also owns cryptographic services (autograph, tls canary, tls observatory, etc) and appsec tooling (zap, dependency observatory, etc.).
Operations security
Responsibility for infrastructure and hosting of Firefox services.
- Covers the security of AWS and GCP infrastructure, and datacenters for the build infra
- Security operations consulting for the Firefox organization at large
The operations security group also owns the fraud pipeline (foxsec-pipeline) and secops tooling (frost, sops, etc.).
Risk Management
Responsibility for maintaining visibility into the security posture of the Firefox infrastructure.
- Rapid Risk Assessments framework & associated tooling
- Security posture reports & leadership reporting
Security Checklist
This has moved to https://github.com/mozilla-services/websec-check
About the logo
The Firefox Operations Security logo is derived from this work by Synth Agency, and published under Creative Commons Attribution-NonCommercial 4.0 International Public License.