From 5eb98cdbf9e4809b75cead0b67cd7318c75537a9 Mon Sep 17 00:00:00 2001 From: Claas Augner Date: Mon, 17 Nov 2025 15:05:06 +0100 Subject: [PATCH] docs(SECURITY): sync security policy --- .github/CODEOWNERS | 1 + SECURITY.md | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 95e4f1945..15e6e3fde 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -7,3 +7,4 @@ /.github/workflows/ @mdn/engineering /.github/CODEOWNERS @mdn/engineering +/SECURITY.md @mdn/engineering diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..5033b966c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,25 @@ +# Security Policy + +## Overview + +This policy applies to MDN's website (`developer.mozilla.org`), backend services, and GitHub repositories in the [`mdn`](https://github.com/mdn) organization. Issues affecting other Mozilla products or services should be reported through the [Mozilla Security Bug Bounty Program](https://www.mozilla.org/en-US/security/bug-bounty/). + +For non-security issues, please file a [content bug](https://github.com/mdn/content/issues/new/choose), a [website bug](https://github.com/mdn/fred/issues/new/choose) or a [content/feature suggestion](https://github.com/mdn/mdn/issues/new/choose). + +## Reporting a Vulnerability + +If you discover a potential security issue, please report it privately via . + +If you prefer not to use HackerOne, you can report it via . + +## Bounty Program + +Vulnerabilities in MDN may qualify for Mozilla's Bug Bounty Program. Eligibility and reward amounts are described on . + +Please use the above channels even if you are not interested in a bounty reward. + +## Responsible Disclosure + +Please do not publicly disclose details until Mozilla's security team and the MDN engineering team have verified and fixed the issue. + +We appreciate your efforts to keep MDN and its users safe.