01.27.11 - 06:13pm
It has been just over a month since we announced the expansion of our bounty program to include selected web applications. We have received many bug reports and have awarded $40,000. We will make the resolved bugs public shortly as these issues are no longer a threat to the community and our users. Since the [...]
12.27.10 - 10:35pm
On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk [...]
12.14.10 - 02:57pm
Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web applications vulnerabilities. So we are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities.
10.27.10 - 10:30am
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such as Facebook and Twitter. While the developers chose to use the Firefox add-on API, the [...]
10.26.10 - 02:30pm
Update (Oct 27, 2010 @ 20:12): A fix for this vulnerability has been released for Firefox and Thunderbird users. Firefox 3.6.12 and 3.5.15 security updates now available Thunderbird 3.1.6 and 3.0.10 security updates now available Issue: Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from [...]
09.08.10 - 02:56pm
One of the security enhancements included with Firefox 3.6.9 is support for the x-frame-options header. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages.
08.27.10 - 10:16am
A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed into a draft spec for HTTP Strict Transport Security (HSTS) and we’ve landed support for it into our source tree. This means that HSTS will [...]
07.16.10 - 12:32am
I’ve posted some of my recent thinking on privacy and identity. For some time we’ve generally seen privacy treated as its own problem domain, oddly divorced from the realms of security and identity. Perhaps its time for a different approach?
05.11.10 - 12:02pm
It’s been a few months since I wrote about the work our plugin check team has been doing, but there are a couple of pretty excellent pieces of news I’d like to share, most notably: the Mozilla plugin check now works for users of other browsers as well. Plugin Check: A Refresher Last fall, we [...]
04.06.10 - 02:08pm
There’s been confusion today about the work we’re doing on our root store, the set of trusted certificate authorities shipped with Mozilla products. The short story is this: we’re removing the “RSA Security 1024 V3″ root from that list. Its owners have confirmed that it is not in use, and not covered by current audits. [...]
