Mozilla’s Commitment To Security

mcoates

October is National Cyber Security Awareness month and we want to take the opportunity to reiterate Mozilla’s security commitment to the Web. From Firefox for Windows, Mac, Linux and Android to Firefox OS to the Firefox Marketplace, Persona and more – Mozilla is committed to delivering secure applications and services that protect our users’ data and privacy. This is more than just a commitment; it’s even in our manifesto.

Individuals’ security on the Internet is fundamental and cannot be treated as optional. http://www.mozilla.org/about/manifesto.html

Open & Transparent

In the spirit of Mozilla and our pledge to being open, we report all of our security issues to the public. We don’t just show bugs when someone else publicly discusses an issue or when it is convenient to us; we’re open and transparent as a matter of principle.

When a security issue is present that impacts our users we’ll tell the world what we know, what it means to our users and what we’re  doing to address the concern. Our pledge is to provide this information to our users as soon as we know it and fix the issue as quickly and responsibly as possible.

Secure Software Development Lifecycle
Let’s take a quick look at the variety of mechanisms we include within our secure software development lifecycle.

  • Threat Modeling – During design we gather security experts, developers and architects to evaluate potential risks of a design and ensure proper security controls are present in the design of the new system or feature.
  • Fuzzing – Automated scripts and tools send a variety of malformed data into our applications to ensure our products properly handle all sorts of unexpected scenarios that could otherwise lead to vulnerabilities.
  • Security Code Review – Our security experts and developers manually review critical code to identify the proper use of security controls and proactively find potential flaws.
  • Penetration Testing – We perform the same actions that a real attacker would take against our applications and ensure all security defenses are properly functioning.
  • Bug Bounty Program – Mozilla began the first browser bug bounty program in 2004 and expanded to include critical web applications in 2010.  This program builds our larger security community and is another way we proactively discovery security issues and provide fixes long before users are ever at risk.

Results?

Our secure software development lifecycle allows us to proactively harden our applications and fix potential security concerns. In fact, since 2010 we’ve only had three public security zero-days (potentially exploitable security vulnerabilities in the current version) within our Firefox code that has caused us to rapidly release a security fix. When these situations arise we deliver fixes to our users in an average of under 48 hours.

A Secure Mozilla Experience

Mozilla is committed to the security of our users. We employ a variety of  strategies to securely build and maintain our software. When unexpected  issues arise, we’re open and honest about what happened and what we’re doing to make it right.  We hope that these commitments and our track record speaks to the importance and priority that we place on protecting user data and the web.

Michael Coates
Director of Security Assurance