Rebooting Security Engagement at Mozilla

Curtisk

We recently announced a reboot of our efforts to engage with security contributors at Mozilla. Today our strongest and most lasting contributor relationships are with individuals searching for bug bounties. While this program has been very successful, this model sets up a relationship where the only tangible contribution is a bug that may or may not result in a bounty. Instead we want to encourage growth in knowledge from those willing to learn, the creation of open source tools for security work and recognize the natural asymmetric challenges of an open source project that competes with closed source offerings.

In order to do this we have to recognize some unique challenges that security work has in an open project. The first issue being one of trust, as the information that is available in the normal course of our work could harm users in the wrong hands. Secondly that access to security knowledge is not conveyed simply by employment at Mozilla Corporation but by membership in the Security Group (which isn’t changing in any way). To date there has not been a clear path to get involved with security at Mozilla, and this new program aims to change that.

Contributor & Security Contributor
All contributors, individuals who contribute code to the various projects are already important participants in existing security review processes. However, we want to encourage security-minded contributors into providing more active involvement in the Mozilla security community.

The title “Security Contributor” is how we differentiate those contributors who provide security related content including (but not limited to): Brown Bag Presentations, Conference Talks, MDN documentation Security Review Documentation, Security Tool contributions, Vulnerability Defence Documentation.They file security bugs, but not necessarily in pursuit of bug bounties and they contribute patches for security bugs. They may over time also gain increased access to security bugs as needed for the work they are doing.

Security Champions
Champions are active members of a team that help to make decisions about when to engage others from the Security Team. They are recognized as an expert on a product or area as well as having security knowledge and expertise. Champions continue to do the work they do today but take on some added responsibility for guiding security decisions and verifying the security direction of the team they are already with.

One of those tasks would be helping to triage bugs in that component or area and get them into the hands of people who can make a difference in fixing and prioritizing them. As part of this program each champion has a direct contact in the Security Assurance team that they can ask questions of and get guidance when needed. This program has already begun and is actively looking for more people that want to be a part of it. As well our commitment to the success of this means we will be providing training and tools to ensure success.

Security Mentors
Our last group of contributors is one designed to maximize the impact of special knowledge for everyone. Mentors have expertise in a domain area, such as cryptography, JavaScript, memory models, or fuzzing etc. This group also is willing to mentor those that have questions or need guidance in a more general way. They don’t take on the extra work of our champions but are willing to work one on one to help others gain knowledge while working on a specific task. The program for this is also just getting started. We’ve lined up a group of people from the Security Assurance team and made some contacts with academic institutions to help drive some specific actions that we think will be rewarding for both parties.

This journey is just beginning, we hope that those of you reading this will find a place where you can engage with the project, grow in skill and become a part of our community.