Skip to content

Commit 151d54b

Browse files
caugnercaugner
authored
docs(SECURITY): sync security policy (#352)
1 parent 8cb6eba commit 151d54b

File tree

2 files changed

+21
-8
lines changed

2 files changed

+21
-8
lines changed

.github/CODEOWNERS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,3 +9,4 @@
99

1010
/package.json @mdn/engineering @mdn-bot
1111
/package-lock.json @mdn/engineering @mdn-bot
12+
/SECURITY.md @mdn/engineering

SECURITY.md

Lines changed: 20 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,25 @@
11
# Security Policy
22

3+
## Overview
4+
5+
This policy applies to MDN's website (`developer.mozilla.org`), backend services, and GitHub repositories in the [`mdn`](https://github.com/mdn) organization. Issues affecting other Mozilla products or services should be reported through the [Mozilla Security Bug Bounty Program](https://www.mozilla.org/en-US/security/bug-bounty/).
6+
7+
For non-security issues, please file a [content bug](https://github.com/mdn/content/issues/new/choose), a [website bug](https://github.com/mdn/fred/issues/new/choose) or a [content/feature suggestion](https://github.com/mdn/mdn/issues/new/choose).
8+
39
## Reporting a Vulnerability
410

5-
If you've discovered a security issue, please report it through the form linked
6-
below, which will create a secure, private ticket.
7-
https://bugzilla.mozilla.org/form.web.bounty
11+
If you discover a potential security issue, please report it privately via <https://hackerone.com/mozilla>.
12+
13+
If you prefer not to use HackerOne, you can report it via <https://bugzilla.mozilla.org/form.web.bounty>.
14+
15+
## Bounty Program
16+
17+
Vulnerabilities in MDN may qualify for Mozilla's Bug Bounty Program. Eligibility and reward amounts are described on <https://hackerone.com/mozilla>.
18+
19+
Please use the above channels even if you are not interested in a bounty reward.
20+
21+
## Responsible Disclosure
22+
23+
Please do not publicly disclose details until Mozilla's security team and the MDN engineering team have verified and fixed the issue.
824

9-
MDN may be eligible for
10-
[Mozilla's Security Bug Bounty Program](https://www.mozilla.org/en-US/security/bug-bounty/).
11-
You can find more information about the bounty program in the
12-
[Mozilla Web Bug Bounty FAQ](https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/).
13-
You can use the above form even if you are not interested in a bounty reward.
25+
We appreciate your efforts to keep MDN and its users safe.

0 commit comments

Comments
 (0)