Skip to content

Commit f836257

Browse files
caugnercaugner
authored
docs(SECURITY): sync security policy (#83)
1 parent c3e16ef commit f836257

File tree

2 files changed

+22
-9
lines changed

2 files changed

+22
-9
lines changed

.github/CODEOWNERS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,3 +9,4 @@
99

1010
/.github/workflows/ @mdn/engineering
1111
/.github/CODEOWNERS @mdn/content-team @mdn/engineering
12+
/SECURITY.md @mdn/engineering

SECURITY.md

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,25 @@
11
# Security Policy
22

3-
## Reporting a vulnerability
3+
## Overview
44

5-
If you've discovered a security issue, please report it through the form linked
6-
below, which will create a secure, private ticket.
7-
https://bugzilla.mozilla.org/form.web.bounty
5+
This policy applies to MDN's website (`developer.mozilla.org`), backend services, and GitHub repositories in the [`mdn`](https://github.com/mdn) organization. Issues affecting other Mozilla products or services should be reported through the [Mozilla Security Bug Bounty Program](https://www.mozilla.org/en-US/security/bug-bounty/).
86

9-
MDN may be eligible for
10-
[Mozilla's Security Bug Bounty Program](https://www.mozilla.org/en-US/security/bug-bounty/).
11-
You can find more information about the bounty program in the
12-
[Mozilla Web Bug Bounty FAQ](https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/).
13-
You can use the above form even if you are not interested in a bounty reward.
7+
For non-security issues, please file a [content bug](https://github.com/mdn/content/issues/new/choose), a [website bug](https://github.com/mdn/fred/issues/new/choose) or a [content/feature suggestion](https://github.com/mdn/mdn/issues/new/choose).
8+
9+
## Reporting a Vulnerability
10+
11+
If you discover a potential security issue, please report it privately via <https://hackerone.com/mozilla>.
12+
13+
If you prefer not to use HackerOne, you can report it via <https://bugzilla.mozilla.org/form.web.bounty>.
14+
15+
## Bounty Program
16+
17+
Vulnerabilities in MDN may qualify for Mozilla's Bug Bounty Program. Eligibility and reward amounts are described on <https://hackerone.com/mozilla>.
18+
19+
Please use the above channels even if you are not interested in a bounty reward.
20+
21+
## Responsible Disclosure
22+
23+
Please do not publicly disclose details until Mozilla's security team and the MDN engineering team have verified and fixed the issue.
24+
25+
We appreciate your efforts to keep MDN and its users safe.

0 commit comments

Comments
 (0)