We encourage people to report any and all bugs in Mozilla, including
security-related bugs, to the Mozilla project. As a reminder for future
bug reporters, the Mozilla project has a formal policy for handing
reports of security vulnerabilities; this policy was created after
extensive discussions between mozilla.org staff and the public Mozilla
community. The main elements of this policy are as follows:
* Anyone who believes they have found a Mozilla-related security
vulnerability can and should report it by sending email to the address
secu...@mozilla.org.
* We may keep information in the Mozilla bug database about the
vulnerability confidential for a limited period of time, during which
time the vulnerability will be investigated and (if possible) a fix
produced.
* The reporter of the vulnerability is invited to work with Mozilla
developers to investigate and fix the vulnerability. The bug reporter
will be granted access to the confidential information in the Mozilla
bug database relating to the vulnerability, and may at their discretion
publicly disclose that information at any time.
* Once disclosed, information in the Mozilla bug database relating to
the vulnerability will be publicly available for viewing by any
interested party.
For more details, see the full policy document [2]; any questions about
the policy should be directed to mozilla.org staff at st...@mozilla.org.
Note that vendors of Mozilla-based products may have their own policies
and procedures relating to reports of security vulnerabilities;
questions about those policies and procedures should be directed to
those vendors.
Public reports about the recent Mozilla vulnerability have also
mentioned a "Bugs Bounty" program offered by Netscape. We applaud vendor
efforts to provide appropriate recognition to those who report bugs.
However note that the "Bugs Bounty" program and similar vendor-sponsored
initiatives are independent of the public Mozilla project; mozilla.org
does not oversee or control such programs, nor does mozilla.org operate
its own such program.
[1] http://bugzilla.mozilla.org/show_bug.cgi?id=141061
http://bugzilla.mozilla.org/show_bug.cgi?id=141348
http://bugzilla.mozilla.org/show_bug.cgi?id=141453
http://bugzilla.mozilla.org/show_bug.cgi?id=141551
[2] http://www.mozilla.org/projects/security/security-bugs-policy.html
--
Frank Hecker
hec...@mozilla.org