{"id":2522,"date":"2019-11-14T10:03:48","date_gmt":"2019-11-14T18:03:48","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2522"},"modified":"2019-11-14T10:08:45","modified_gmt":"2019-11-14T18:08:45","slug":"adding-codeql-and-clang-to-our-bug-bounty-program","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/","title":{"rendered":"Adding CodeQL and clang to our Bug Bounty Program"},"content":{"rendered":"<p>At Github Universe, <a href=\"https:\/\/github.blog\/2019-11-14-announcing-github-security-lab\/\">Github announced the GitHub Security Lab<\/a>, an initiative to help secure open source software alongside the community and an initial set of partners including Mozilla. As part of this announcement, Github is providing free access to CodeQL, a security research tool which makes it easier to identify flaws in open source software. Mozilla has used these tools privately for the past two years, and have been very impressed and hopeful about how these tools will improve software security. Mozilla recognizes the need to scale security to work automatically, and tighten the feedback loop in the development &lt;-&gt; security auditing\/engineering process.<\/p>\n<p>One of the ways we\u2019re supporting this initiative at Mozilla is through renewed investment in automation and static analysis. We think the broader Mozilla community can participate, and we want to encourage it. Today, we\u2019re announcing a new area of our<a href=\"https:\/\/www.mozilla.org\/en-US\/security\/client-bug-bounty\/\"> bug bounty program<\/a> to encourage the community to use the CodeQL tools.\u00a0 We are exploring the use of CodeQL tools and will award a bounty &#8211; above and beyond our existing bounties &#8211; for static analysis work that identifies present or historical flaws in Firefox.<\/p>\n<p>The highlights of the bounty are:<\/p>\n<ul>\n<li>We will accept static analysis queries written in CodeQL or as clang-based checkers (clang analyzer, clang plugin using the AST API or clang-tidy).<\/li>\n<li>Each previously unknown security vulnerability your query matches will be eligible for a bug bounty per the normal policy.<\/li>\n<li>The query itself will also be eligible for a bounty, the amount dependent upon the quality of the submission.<\/li>\n<li>Queries that match <i>historical<\/i> issues but do not find new vulnerabilities <b>are eligible<\/b>. This means you can look through our <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/\">historical advisories<\/a> to find examples of issues you can write queries for.<\/li>\n<li>Mozilla and Github\u2019s Bug Bounties are <i>compatible<\/i> not <i>exclusive<\/i> so if you meet the requirements of both, you are eligible to receive bounties from both. (More details below.)<\/li>\n<li><i>The full details of this program are available at <\/i><a href=\"https:\/\/www.mozilla.org\/en-US\/security\/client-bug-bounty\/\"><i>our bug bounty program&#8217;s homepage<\/i><\/a><i>.<\/i><\/li>\n<\/ul>\n<p>When fixing any security bug, retrospective is an important part of the remediation process which should provide answers to the following questions: Was this the only instance of this issue? Is this flaw representative of a wider systemic weakness that needs to be addressed? And most importantly: can we prevent an issue like this from ever occurring again? Variant analysis, driven manually, is usually the way to answer the first two questions. And static analysis, integrated in the development process, is one of the best ways to answer the third.<\/p>\n<p>Besides our existing clang analyzer checks, we\u2019ve made use of CodeQL over the past two years to do variant analysis. This tool allows identifying bugs both in the context of targeted, zero-false-positive queries, and more expansive results where the manual analysis starts from a more complete and less noise-filled point than simple string matching. To see examples of where we\u2019ve successfully used CodeQL, we have a <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1458117\">meta tracking bug<\/a> that illustrates the types of bugs we\u2019ve identified.<\/p>\n<p>We hope that security researchers will try out CodeQL too, and share both their findings and their experience with us. And of course regardless of how you find a vulnerability, you\u2019re always welcome to submit bugs using the regular <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/client-bug-bounty\/\">bug bounty program<\/a>. So if you have custom static analysis tools, fuzzers, or just the mainstay of grep and coffee &#8211; you\u2019re always invited.<\/p>\n<h3>Getting Started with CodeQL<\/h3>\n<p>Github is publishing a guide covering how to use CodeQL at <a href=\"https:\/\/securitylab.github.com\/tools\/codeql\">https:\/\/securitylab.github.com\/tools\/codeql<\/a><\/p>\n<h3>Getting Started with Clang Analyzer<\/h3>\n<p>We currently have a number of custom-written checks <a href=\"https:\/\/searchfox.org\/mozilla-central\/source\/build\/clang-plugin\">in our source tree<\/a>. So the easiest way to write and run your query is to <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Developer_guide\/Build_Instructions\/Simple_Firefox_build\">build Firefox<\/a>, add \u2018ac_add_options &#8211;enable-clang-plugin\u2019 to your mozconfig, add your check, and then \u2018.\/mach build\u2019 again.<\/p>\n<p>To learn how to add your check, you can review <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1569681\">this recent bug that added a couple of new checks<\/a> &#8211; it shows how to add a new plugin to Checks.inc, ChecksIncludes.inc, and additionally how to add tests. This particular plugin also adds a couple of attributes that can be used in the codebase, which your plugin may or may not need. Note that depending on how you view the diffs, it may appear that the author modified existing files, but actually they copied an existing file, then modified the copy.<\/p>\n<h3>Future of CodeQL and clang within our Bug Bounty program<\/h3>\n<p>We retain the ability to be flexible. We\u2019re planning to evaluate the effectiveness of the program when we reach $75,000 in rewards or after a year. After all, this is something new for us and for the bug bounty community. We\u2014and Github\u2014welcome your communication and feedback on the plan, especially candid feedback. If you\u2019ve developed a query that you consider more valuable than what you think we\u2019d reward &#8211; we would love to hear that. (If you\u2019re keeping the query, hopefully you\u2019re submitting the bugs to us so we can see that we are not meeting researcher expectations on reward.) And if you spent hours trying to write a query but couldn\u2019t get over the learning curve &#8211; tell us and show us what problems you encountered!<\/p>\n<p>We\u2019re excited to see what the community can do with CodeQL and clang; and how we can work together to improve on our ability to deliver a browser that answers to no one but you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At Github Universe, Github announced the GitHub Security Lab, an initiative to help secure open source software alongside the community and an initial set of partners including Mozilla. As part &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/\">Read more<\/a><\/p>\n","protected":false},"author":1610,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[45514,45498],"coauthors":[323226],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Adding CodeQL and clang to our Bug Bounty Program - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tom Ritter\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/\",\"name\":\"Adding CodeQL and clang to our Bug Bounty Program - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2019-11-14T18:03:48+00:00\",\"dateModified\":\"2019-11-14T18:08:45+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/8050c901fa7de4b8592fbf3883ada431\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Adding CodeQL and clang to our Bug Bounty Program\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/8050c901fa7de4b8592fbf3883ada431\",\"name\":\"Tom Ritter\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8c665b379ecb0126402892978ad819df\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3751f274d6ee027c0b815855573c73d5?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3751f274d6ee027c0b815855573c73d5?s=96&d=identicon&r=g\",\"caption\":\"Tom Ritter\"},\"sameAs\":[\"https:\/\/ritter.vg\",\"https:\/\/x.com\/tomrittervg\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Adding CodeQL and clang to our Bug Bounty Program - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/","twitter_misc":{"Written by":"Tom Ritter","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/","url":"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/","name":"Adding CodeQL and clang to our Bug Bounty Program - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2019-11-14T18:03:48+00:00","dateModified":"2019-11-14T18:08:45+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/8050c901fa7de4b8592fbf3883ada431"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/14\/adding-codeql-and-clang-to-our-bug-bounty-program\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Adding CodeQL and clang to our Bug Bounty Program"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/8050c901fa7de4b8592fbf3883ada431","name":"Tom Ritter","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8c665b379ecb0126402892978ad819df","url":"https:\/\/secure.gravatar.com\/avatar\/3751f274d6ee027c0b815855573c73d5?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3751f274d6ee027c0b815855573c73d5?s=96&d=identicon&r=g","caption":"Tom Ritter"},"sameAs":["https:\/\/ritter.vg","https:\/\/x.com\/tomrittervg"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2522"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1610"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2522"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2522\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2522"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}