(In reply to Abdulrahman Alqabandi[test] from comment #1) > Could you please test on non-windows Os? ops

(In reply to Andrew McCreight [:mccr8] from comment #6) > It looks like this has been posted publicly in > http://leucosite.com/Chrome-Firefox-Edge-Local-File-Disclosure/ So much for the bounty then.

Abdulrahman, if it isn't clear. Publicly discussing the details of a security bug that we haven't fixed yet is bad form, especially if you never put any disclosure date warnings in communications with us. 90 days, at least, is the industry standard for people that do put such guidelines on disclosure into place. Finding out via twitter and blogs that you've potentially 0dayed users is not cool.

I do not believe our client bounty policy has ever specified 60 days. I'd love for you to show me where it has. Possibly you are confusing Mozilla with Google or someone else. We haven't substantially changed the wording of the security policy recently, having only done minor edits within the last year. You should not make "assumptions" about a 60 day policy. Mozilla does not have a 60 (or 90 or 120) day disclosure policy and never has. Sometimes reporters come to us and state "I will disclose this bug in x days" and we try to act with this knowledge. We do not have a policy of "If we don't fix this in 60 days, you should tell the world about it in detail." I have no idea why you thought publicly disclosing this was a good idea at all based on anything we've ever said to you. If we had known that you thought that after 60 days, you were ok to just open this up to the world, we might have acted differently. It kind of burns bridges with us to do things like this with ZERO communication on your part to us. Even giving us a heads up would have allowed us to have a discussion with you about your assumptions and ours. In any case, this bug isn't fixed. It is hidden as a security issue. You just wrote a detailed blog post about it. This isn't about users of our nightly builds. This is about the fact that this is a security issue affecting *all* of our users, potentially. If you wanted to write a post about an unfixed bug, you would be better served to either ask in the bug if we see any issues doing so or emailing us at security@mozilla.org, rather than handing the world a security issue with details when it isn't fixed. I really don't care when you reported to Google or Microsoft. That is Google and Microsoft's business, not ours. Their policies and responses are not ours. What I see here is a 60 day old bug that is now public when we're about to ship a release in several days so we can't fix it in time for Firefox 53 without making it an emergency. As a moderate issue about data disclosure, we're not going to do that because the costs are too high and the impacts too great.

Again, this bug is 5 months old originally reported in Bug 1319370. But yes I did confuse the 60 day policy thing that came from Google not you. I also was under the impression that Mozilla did not care about public disclosure, all you ask is sufficient time to fix, I believe after 5 months that is sufficient. From https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ Q&A: The question is: "If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?" Mozillas answer: "No. We’re rewarding you for finding a bug, not trying to buy your silence... " As I write this I realize this may be only applicable for website flaws but this was not clear to me before. I'm really surprised by your reaction to this and am sad that you took this as a bridge burner. I hope you reconsider as I have what I think is a good track record (few hickups), there is even an SOP bypass that is 4 months old and I do not plan on publicly disclosing anytime soon and have been more than patient, plenty other bugs in the same situation. My mistake was communication, but I honestly thought you guys were so busy that I did not want to bother about a less severe bug.

(In reply to Abdulrahman Alqabandi from comment #11) > From https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ Q&A: That's not the bounty program that covers Firefox or our client software. That's the one for our websites, which is why it says "Web Application" on the top. The client program is at https://www.mozilla.org/en-US/security/client-bug-bounty/ The text is largely the same but you should be sure you're referring to the appropriate program since details do differ between them. And, no, we aren't "buying silence" but we also expect people not to 0day users, especially with zero communication with us that they are about to do so. Perhaps the bounty committee as a whole with disagree with my decision and still pay a bounty on this issue. > I'm really surprised by your reaction to this and am sad that you took this as a bridge burner. I hope you reconsider as I have what I think is a good track record (few hickups), there is even an SOP bypass that is 4 months old and I do not plan on publicly disclosing anytime soon and have been more than patient, plenty other bugs in the same situation. My mistake was communication, but I honestly thought you guys were so busy that I did not want to bother about a less severe bug. It isn't a "bridge burner" in the sense that you're out of the bounty program or something. It is in the fact that we pay attention to the behavior and interactions with security researchers and do note which ones work well with us and which ones, for example, post unfixed bugs in public without telling us. You can still continue to work with us. Up until now, you've been fairly well regarded on our team for the work you've done. The relationship isn't irreparably damaged but this was not a good surprise on a Friday morning. Further discussions should be held by email if necessary at security@mozilla.org.