This is a follow-up to the previous Mozilla report about the fraudulent certificates issued by Comodo last week. On 15th March 2011, a RA partner of the Comodo CA suffered … Read more
Issue Mozilla has been informed about the issuance of several fraudulent SSL certificates for public websites. The certificates have been revoked by their issuer which should protect most users. This … Read more
One of the new features in Firefox 4 that we are very excited about is Content Security Policy, which is a mechanism that works behind the scenes to prevent some … Read more
The AppSec space is an extremely challenging field to work in, largely due to asymmetry; when you play defence you have to work to stay on top of each emerging … Read more
We are working hard to advance the security of Mozilla web applications. This includes efforts such as threat modelling, security training, security throughout development, code review, testing, the bounty program, … Read more
Welcome to the Web Application Security Blog Read more
It has been just over a month since we announced the expansion of our bounty program to include selected web applications. We have received many bug reports and have awarded … Read more
On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported … Read more
Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web applications vulnerabilities. So we are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. Read more
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, … Read more
Update (Oct 27, 2010 @ 20:12): A fix for this vulnerability has been released for Firefox and Thunderbird users. Firefox 3.6.12 and 3.5.15 security updates now available Thunderbird 3.1.6 and … Read more
One of the security enhancements included with Firefox 3.6.9 is support for the x-frame-options header. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages. Read more