Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relaunch and redo the web bug bounty program #4744

Closed
wants to merge 6 commits into from
Closed

Relaunch and redo the web bug bounty program #4744

wants to merge 6 commits into from

Conversation

april
Copy link
Contributor

@april april commented Mar 31, 2017

Description

This completely relaunches the Mozilla web bug bounty program.

It includes:

  • Updated site lists
  • Revamped navigation
  • Completely rewritten documentation
  • Specific payouts

And a lot more.

Could the following users please r+?
@dveditz, @jeffbryner, @jvehent, @claudijd, @rforbes, @albill

Thanks!

Bugzilla link

Testing

I am having trouble running the tests locally, but I have been running it off a local bedrock instance for days without issue.

Checklist

  • Requires l10n changes.
  • Related functional & integration tests passing.

albill
albill approved these changes Mar 31, 2017
View reviewed changes
Copy link
Contributor

@albill albill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r+

@jeffbryner jeffbryner self-requested a review March 31, 2017 22:02
jeffbryner
jeffbryner reviewed Mar 31, 2017
View reviewed changes
bedrock/security/templates/security/web-bug-bounty.html Outdated
<p>Repeat the attack using only your own description in order to prevent errors and omissions, update documentation.</p>

<h3>XSS reporting tips</h3>
<h2>Exclusions</h2>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be nice to have an anchor here to email as reference for errant bounty reports (future..)

@craigcook
Copy link
Member

Work in progress can be seen at https://www-demo1.allizom.org/security/

craigcook
craigcook reviewed Mar 31, 2017
View reviewed changes
bedrock/mozorg/templates/mozorg/about/governance/policies/security/bugs.html
@@ -12,10 +12,10 @@ <h1 class="title-banner">{{ _('Handling Mozilla Security Bugs') }}</h1>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the h1 on this page should get class="title-shadow-box" for the fancy red box treatment (until we rebrand all these pages, anyway).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe @dveditz will be redoing that entire page soon; I just wanted to make a small update to it so that it no longer had incorrect information in bold right on the top. :)

@april
Copy link
Contributor Author

april commented Apr 3, 2017
edited

A running todo list for myself:

  • ACK -> HoF
  • Add XSS for non-critical actions
  • Payout -> Also gets HoF
  • Add IDOR to Authentication Bypass
  • Add domain takeovers
  • Change Order (Payout -> Exclusions -> Eligibility)
  • Remove Community Volunteer thing from Eligibility

@craigcook craigcook self-assigned this Apr 3, 2017
@rforbes
Copy link
Contributor

rforbes commented Apr 4, 2017

looks good to me.

@april
Copy link
Contributor Author

april commented Apr 4, 2017

I think at this point I really just need @claudijd to give r+, and maybe @dveditz to give it a once over and we can merge. Thanks for everybody's hard work on this!

@jeffbryner
Copy link

Anything left before merge @craigcook ?

@alexgibson
Copy link
Member

We just landed a new global navigation for the site in master. Can I suggest you rebase this branch just to make sure there are no surprises?

@claudijd
Copy link

claudijd commented Apr 4, 2017

@april r+

@jeffbryner
Copy link

@alexgibson @april is on leave for the next couple weeks, any way to do this without the rebase?

@alexgibson
Copy link
Member

@jeffbryner this PR still needs to be reviewed by a bedrock committer before it can be merged. If @april is out on PTO then perhaps we can try to pick this up and finish it off for you, but I'm afraid we're all pretty busy with Q2 priorities this week.

@craigcook
Copy link
Member

I can take it over but may not be able to get to it for a few days. Everything looks good for the most part, could just use a little tidying and the commits need to be squashed.

@jeffbryner
Copy link

thanks @craigcook, let me know if there is anything I can do. If you have an ETA it will help me with comms timing.

@craigcook craigcook mentioned this pull request Apr 19, 2017
Merged
2 tasks
@craigcook
Copy link
Member

Closing this PR in favor of #4777

@craigcook craigcook closed this Apr 19, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craigcook craigcook craigcook left review comments

@albill albill albill approved these changes

@jeffbryner jeffbryner jeffbryner approved these changes

Assignees

@craigcook craigcook

Labels
Do Not Merge ⚠️
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@april @craigcook @rforbes @jeffbryner @alexgibson @claudijd @albill