Closed
Bug 1267573
Opened 9 years ago
Closed 8 years ago
Lack of transparency on Mozilla web bug bounty program(out of scope domain)
Categories
(www.mozilla.org :: Pages & Content, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: takashi.kazenomamani, Unassigned)
Details
Attachments
(1 file)
(deleted),
text/x-github-pull-request
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160420030213
Actual results:
Mozilla's web bug bounty stated....
----------------------------
What about sites which are not listed?
If you find an issue with a site which is not “officially” part under the web application bug bounty, we would still like to know. If the bug is extraordinary, we might still consider the bug to be nominated for a bounty.
Source: https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs
-----------------------------
I filed a bug(reflected xss) to Mozilla's security team(bug# 1267464). They said "we do not pay bounty to this domain." Reflected xss is sec-high on Mozilla's sec-rating. In the past, Mozilla paid bounty for reflected xss on out of scope domain.
Source: https://bugzilla.mozilla.org/show_bug.cgi?id=1261581
I believed sec-high is eligible for bug bounty even if reported domain was not listed on Mozilla's web-bug bounty program. The reason is Mozilla paid in the past and my reported domain is known by many people. But my report was not eligible because of the domain...
My questions are....
1. What out of scope domain is eligible for bug bounty?
2. In order to receive bounty on out of scope domain, what kind of bug is eligible(e.g. RCE, stored xss, SQL injection, etc)?
When a researcher report a security bug to Mozilla's team, a researcher expects that he/she will be able to receive bounty. If Mozilla does not specify the rule on out of scope domain, Mozilla can change the definition(extraordinary bug or domain). So Mozilla can steal researcher's bug bounty submission.
By the way, what is extraordinary bug? Sec-high? Sec-critical?
What kind of "extraordinary bug" is eligible on out of scope domain?
I believe Mozilla stole many researcher's effort by saying "we do not pay bounty for this domain or this bug." How can a researcher know which out of scope domain is ok or not?
Mozilla said "we might still consider the bug to be nominated for a bounty." So Mozilla has to define what bug or out of scope domain is eligible for bounty. If Mozilla can not define, Mozilla should not say "we might still consider the bug to be nominated for a bounty."
I believe that my report was stolen by Mozilla. I hope Mozilla will make change about this. If Mozilla will not make any change about this, it means Mozilla wants to steal researcher's effort and report by abusing an evasive answer.
Expected results:
Following are improvements...
-----------------------------------------
Expected result(example):
What about sites which are not listed?
If you find an issue with a site which is not “officially” part under the web application bug bounty, we would still like to know. We are only interested in Following bugs and domain. We will not pay bounty if bug or domain is not listed.
・We will only pay sec-critical bounty for these domain.
example111.mozilla.org
example222.mozilla.com
example333.mozilla.org
・We will only pay bounty for given vulnerability on these domains
xxxxxx.mozilla.org (Remote code execution)
yyyyyy.mozilla.com(Stored xss & infomation discloser)
zzzzzz.mozilla.org(SQL injection & reflected xss)
Out of scope bug and known issue
Server version disclosure
User enumeration
---------------------------------------------
This is fare, isn't it? If my suggestion will be implemented, no one will be betrayed and exploited by Mozilla.
Updated•9 years ago
|
Component: Other → Pages & Content
Flags: needinfo?(amuntner)
Product: Websites → www.mozilla.org
Version: unspecified → Production
Comment 1•9 years ago
|
||
(In reply to Takashi from comment #0)
> If you find an issue with a site which is not “officially” part under the
> web application bug bounty, we would still like to know. If the bug is
> extraordinary, we might still consider the bug to be nominated for a bounty.
> -----------------------------
>
> I filed a bug(reflected xss) to Mozilla's security team(bug# 1267464). They
> said "we do not pay bounty to this domain." Reflected xss is sec-high on
> Mozilla's sec-rating. In the past, Mozilla paid bounty for reflected xss on
> out of scope domain.
>
> Source: https://bugzilla.mozilla.org/show_bug.cgi?id=1261581
"XSS" is one of the most common flaws out there. Although severe for the site in question it is by no means "extraordinary". wiki.mozilla.org is full of user-generated content and is not critical to our users or our development. The software is basic MediaWiki (not our own) so finding flaws in it doesn't help us make our software better and damage doesn't hurt us too badly (content is backed up). "extraordinary" would be taking over the machine itself which puts an attacker in a position to attack sites we do care about from inside the network.
crash-stats, on the other hand, is our own software, and more importantly has privileged accounts with the ability to see private user data about crashes: the submitter's email (if given), the URL they crashed on, in some cases the raw crash data contains stray memory contents with private user data. We care about that site much more. When we revamp the eligible list this site will definitely be on it.
> I believed sec-high is eligible for bug bounty even if reported domain was
> not listed on Mozilla's web-bug bounty program.
The severity rating is an academic evaluation with respect to the site in isolation; it is not a global risk rating to Mozilla as an organization. Otherwise there would be lots of sites whose security flaws would never rate higher than "sec-low" and that would not help the developers of that site prioritize which ones they should fix first.
> 1. What out of scope domain is eligible for bug bounty?
We are working on creating such a list because our current language seems to be very hard to understand. We have a couple of thousand different hostnames and most of them are not eligible for a bug bounty. Since the point of the bounty program is to focus researcher attention on the sites that put our users or their data at risk, or which could damage Firefox itself, we do hope researchers stick to that list.
> 2. In order to receive bounty on out of scope domain, what kind of bug is
> eligible(e.g. RCE, stored xss, SQL injection, etc)?
It depends on the site. If the site doesn't store sensitive user data from Firefox users, or isn't used to build or deliver software updates then that site is lowest priority. If you can take over a machine and potentially attack a site we _do_ care about then that would be likely eligible. More and more of our servers are being moved to isolated cloud instances with no special connection to each other, so even RCE is no guarantee of a bounty if the site itself is not important to our users or to building and delivering Firefox.
> When a researcher report a security bug to Mozilla's team, a researcher
> expects that he/she will be able to receive bounty.
That is an incorrect expectation. We published our eligible list to help focus researcher attention on our important sites and to prevent misunderstandings like this.
> If Mozilla does not specify the rule on out of scope domain,
Out of scope domains are out of scope. Expect that they will receive no bounty.
> So Mozilla can steal researcher's bug bounty submission.
We do not want to steal anything from anyone. Mozilla is built by an army of volunteers and we gratefully accept your donation of a bug report on a domain not on our bounty list. If this is strictly a financial transaction for you please stick to our list of definitely-eligible sites.
> By the way, what is extraordinary bug? Sec-high? Sec-critical?
"extraordinary" means "out of the ordinary". A security bug in a non-eligible domain needs to surprise and impress us with its technique and impact on sensitive Firefox user data or the production and delivery of software to Firefox users.
As I mentioned earlier the rating severity is relative to the site itself and has nothing to do with our evaluation of the importance of the site nor the "extraodinariness" of the vulnerability.
> I believe Mozilla stole many researcher's effort by saying "we do not pay
> bounty for this domain or this bug." How can a researcher know which out of
> scope domain is ok or not?
I apologize if we were not clear and we do not want to steal anyone's effort. We only want people who are willingly contributing to the safety of Firefox and Firefox users. Out of scope domains are out of scope. None of them are "ok" for the bounty. The exceptions are tiny, and by the nature of "extraordinary" we have no way to enumerate that in advance. If we could they would be "ordinary". Assume there is no bounty on out of scope domains, ever.
> If Mozilla can not define, Mozilla should not say "we might still
> consider the bug to be nominated for a bounty."
You are convincing me of that fact! We added that to give us the flexibility to be generous beyond the official bounds of the program. It is disheartening indeed to have that turned back on us as an accusation of parsimony.
Comment 2•9 years ago
|
||
I made two changes to the website today, they're waiting for review to get pushed into production. Some of the changes clarify the language around exceptional bugs, more or less plagiarizing Dan. They also contain an expanded list of hosts.
Thanks again for your feedback, you are welcome to ping me back to this bug with needinfo after the pages go up if you think three's still any vagueness to be addressed.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(amuntner)
Resolution: --- → FIXED
Comment 3•9 years ago
|
||
Reopening this until the PR has been reviewed and merged by a bedrock developer. Thanks for the pull request!
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: FIXED → ---
I have a question. I think this question needs more info because a reporter can understand more clearly.
Question:
If a reporter wants to get reward before Mozilla team fixes a bug, what does he need to do? Emailing to Mozilla team? If so, please add information where to send an email.
Flags: needinfo?(amuntner)
Comment 6•9 years ago
|
||
Submit bugs on bounty-eligible site and use the web form, which sets the bounty ? flag.
Thanks Takashi
Flags: needinfo?(amuntner)
Comment 7•9 years ago
|
||
Commit pushed to master at https://github.com/mozilla/bedrock
https://github.com/mozilla/bedrock/commit/0b54c4d591c7102adf82526a79b160a0db4a40fc
Update and fixup web bounty rules, award amount
See bug 1267573
Issue 4100
Comment 9•8 years ago
|
||
Commits pushed to master at https://github.com/mozilla/bedrock
https://github.com/mozilla/bedrock/commit/6046e4608e6da9bfd1c762f36275c53e5c38a844
[fix bug 1267573] Small clean-up fixes to web app bug bounty faq.
https://github.com/mozilla/bedrock/commit/ebed850c70c1370b63f250b14c62c68e8414ad26
Merge pull request #4147 from jpetto/bug-1267573-update-webapp-bug-bounty-faq
Bug 1267573 update webapp bug bounty faq
Updated•8 years ago
|
Status: REOPENED → RESOLVED
Closed: 9 years ago → 8 years ago
Resolution: --- → FIXED
Comment 10•8 years ago
|
||
(In reply to Takashi from comment #8)
> Any updates? It took so much time.
The new and updated pages have been live for a week or more now. Did you go look?
Reporter | ||
Comment 11•8 years ago
|
||
Really? When I go to...
https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/
I will see an old page... Am I looking wrong page?
Updated•8 years ago
|
Flags: needinfo?(amuntner)
Comment 12•8 years ago
|
||
We merged this to master yesterday, as seen in Comment 9. It will go to production in our next push. This will likely be in the next day.
For now you can see the results on our staging server.
https://www.allizom.org/en-US/security/bug-bounty/faq-webapp/
Flags: needinfo?(amuntner)
Reporter | ||
Comment 13•8 years ago
|
||
Comment 4's and comment 12's eligible domain lists are not same.
Comment 4 link: https://github.com/mozilla/bedrock/pull/4099
comment 12 link: https://www.allizom.org/en-US/security/bug-bounty/faq-webapp/
For example, teach.mozilla.org and support.mozilla.org were not included on eligible domain lists.
What happened?
Comment 14•8 years ago
|
||
(In reply to Takashi from comment #13)
> Comment 4's and comment 12's eligible domain lists are not same.
>
>
> Comment 4 link: https://github.com/mozilla/bedrock/pull/4099
>
> comment 12 link:
> https://www.allizom.org/en-US/security/bug-bounty/faq-webapp/
>
>
> For example, teach.mozilla.org and support.mozilla.org were not included on
> eligible domain lists.
>
> What happened?
The original pull request got closed and reopened because it was not correct (reasons/sources not quite clear):
https://github.com/mozilla/bedrock/pull/4120#issuecomment-219039969
If this information is still incorrect, may I suggest you open a new bug and clearly state what the correct list should be? Having this information clearly defined in a bug helps us a lot during code review to avoid churn. We would also be more than happy to pick this up and finish it off for you if that makes things easier. Thanks again.
Reporter | ||
Comment 15•8 years ago
|
||
Currently, I do not completely understand which sites are used by many users or important. So probably I shouldn't open a new bug and create bug bounty domain's list.
But I think these domains involve user's data. I'd like to suggest to add these domains...
Crash report (socorro)
crash-stats.mozilla.com
SUMO
support.mozilla.org
Teach
teach.mozilla.org
Comment 16•8 years ago
|
||
Commit pushed to master at https://github.com/mozilla/bedrock
https://github.com/mozilla/bedrock/commit/d7580090e46a0fba598a1f096c9c1c76c466708a
[fix bug 1267573] Bug bounty FAQ - add missing closing slash on <li>
Comment 17•8 years ago
|
||
Pull request to address Comment 15
Comment 18•8 years ago
|
||
(In reply to Takashi from comment #15)
> Currently, I do not completely understand which sites are used by many users
> or important. So probably I shouldn't open a new bug and create bug bounty
> domain's list.
We made a determination of which sites we want to support bounties on. If you'd like to participate in the program, I'd suggest focusing on those sites, especially now that the updated list is up.
Comment 19•8 years ago
|
||
I suggest any further discussion be taken to email. Bugzilla is not a forum and our website is now current, "fixing" this bug.
Comment 20•8 years ago
|
||
As per Comment 18 and Comment 19, I'm going to close the pull request linked in Comment 17 without merging, as it sounds like we are ok as-is and this bug is already "fixed".
You need to log in
before you can comment on or make changes to this bug.
Description
•