Select a component to see open bugs in that component:
Bugs related to the operations security (OpSec) team. These include server/network related security issues. (more info).
Used whenever a security breach, data leak, or event occurs that requires incident response.
Think you might have a security incident but need help figuring it out? Leaked passwords but don't know if they've been used? It goes here. If attack is in progress or data has been leaked and used/seen by third parties, use the Incident component instead.
For MIG, the Mozilla InvestiGator.
For MozDef, the Mozilla Defense platform - Mozilla's SIEM.
For NSM, the Network Security Monitoring running at Mozilla.
An adversarial exercise with the goal of demonstrating risks that could be exploited by a threat actor. Testing scope is heavily influenced by RRA and TM results, which should be completed prior to Penetration Testing.
The Rapid Risk (Impact) Assessment (also called Rapid Risk Analysis) is a 30 minutes or less discussion about the potential risks of a project. The RRA is high level and lightweight.
Risk recorded during a risk analysis. These entries represent the risks and recommendations made. Tracking of remediations, acceptance of risk ("wontfix"), or discussion is done here.
A review of the set of attack scenarios to consider against an application. They are more specific, thorough and often more time consuming than Rapid Risk (RRA). When a threat model or analysis is requested on a large service (ie, larger than a quick reply in a bug), an RRA is required to ensure that the security recommendations cover the areas of concerns of the service.
A semi-automated point-in-time vulnerability assessment conducted by a vulnerability scanner and other “point and shoot” tools for an explicit set of target(s). May include a validation component, depending on scope.