Security/Testing

From MozillaWiki
Jump to: navigation, search

Firefox Security Testing Team

Securing Firefox through Security Testing, Auditing and Monitoring

What do we do?

  • security testing new of features in Firefox desktop and mobile
  • security testing as part of security review process
  • target security code auditing (e.g. auditing of new libraries to be included in Firefox)
  • hunt and eradicate security bug classes in the Firefox codebase

What are we working on right now ?

See our Trello board.

How can we help you?

Contact us at security-testing@mozilla.com.

To report a security issue in Firefox desktop or mobile, use the client bug bounty form here.

What do we do?

Release Security Testing

Security testing of features to mitigate implementation risk and catch common security flaws. Testing will be targeted on features identified by:

  • Residual risk highlighted by Engineering Security Review process
  • Triage upcoming desktop & mobile features to identify “risky” features/changes that warrant security testing (catch-all for features which missed security review)

Vulnerability management and measurement

Security Activities in in the post-release phase - monitoring of incoming security bugs, measuring features on the web, and security maintenance activities like monitoring for security issues in dependencies.

Security Auditing Projects

Target security testing projects not tied to a specific Firefox release:

  • Testing of large browser features that span multiple releases (e.g. Web Payments)
  • Testing of Firefox security components (e.g. Sandbox testing)
  • Testing of areas of known weakness (e.g. components receiving frequent security issues through manual auditing, static analysis, instrumentation etc)