On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We … Continue reading
Posts from 2010
Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web applications vulnerabilities. So we are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. Continue reading
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such … Continue reading
Update (Oct 27, 2010 @ 20:12): A fix for this vulnerability has been released for Firefox and Thunderbird users. Firefox 3.6.12 and 3.5.15 security updates now available Thunderbird 3.1.6 and 3.0.10 security updates now available Issue: Mozilla is aware of … Continue reading
One of the security enhancements included with Firefox 3.6.9 is support for the x-frame-options header. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages. Continue reading
A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed into a draft spec for HTTP Strict Transport Security (HSTS) … Continue reading
Zack Weinberg did a great blog post explaining the recent changes in Firefox 3.5.11 and 3.6.7 to mitigate cross-site data theft using CSS. This is a mitigation for an issue originally “rediscovered” by Chris Evans.
Issue There has been discussion today about a Firefox feature that warns users when a site’s URL is deceptive. When a Firefox user visits a site with a url that might be deceptive (e.g. http://email@example.com/) , Firefox will stop the … Continue reading
I’ve posted some of my recent thinking on privacy and identity. For some time we’ve generally seen privacy treated as its own problem domain, oddly divorced from the realms of security and identity. Perhaps its time for a different approach?
Mozilla launched its security bounty program in 2004 and while the original mission of protecting users by supporting security research has not changed, the security environment has changed tremendously. In recognition of these changes we are updating our security bounty … Continue reading