Working in application security can be frustrating. Often you’re working around problems in software you have little control over, making ugly bandaids that must stay in place until a vendor wakes up to an issue.
Perhaps this is why security folk, as a community, have gotten into the habit of complaining about how things are broken and leaving it there; how often have you attended a presentation where a vendor is criticised for making a mistake, but no solution is suggested, or help offered?
This frustration is one of the reasons I was really excited about coming to Mozilla. “Finally! I can make a difference!”, I thought. It didn’t take long for me to realise I’d missed something important; there was nothing stopping me before. You don’t need to be a Mozilla employee to contribute.
Because Mozilla is open. Not ‘open’ as in “here’s this neat thing we built behind closed doors (and here’s the source)”, rather, the kind of open that allows anyone with good ideas and talent to make a difference. We develop everything in the open so you can contribute ideas, patches and security guidance too.
I didn’t realise that I could contribute in all of these ways; had it occurred to me, some of the things I’m working on now could have been in the browser I used years ago. Has it occurred to you?
So what can you do?
- Get involved in security reviews (wiki page, calendar)
- Join discussions on mailing lists (mailing lists, Google Groups)
- Participate in our bug bounty program
We’re going to be giving some additional ideas of areas where you can get involved over the coming weeks; watch this space!
— Mark Goodwin