From MozillaWiki

Firefox Operations Security

Firefox Operations Security is responsible for application & operations security for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service.

Email us at secops@mozilla.com.

To report a security issue on a given site, use the bug bounty form as explained here.

To tell us about a new service create a New Service issue.

Product Lines

Firefox Accounts

Addons.mozilla.org

Browser services (sync, push, normandy, remote settings, balrog, product delivery, etc.)

Data services (telemetry, pioneer, taar, prio, etc.)

Web presence of Premium services (FxSend, FxMonitor, FPN website, etc.)

Release Engineering (taskcluster, shipit, *.build.m.o, build infra, etc.)

Developer Services (phabricator, lando, bugzilla, sentry, crash reports, etc.)

Scope

Application security

Responsibility for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service.

Risk assessments

Security Reviews

Manual and automated testing

Review risks w/ product owners

Security incident management

The application security group also owns cryptographic services (autograph, tls canary, tls observatory, etc) and appsec tooling (zap, dependency observatory, etc.).

Operations security

Responsibility for infrastructure and hosting of Firefox services.

Covers the security of AWS and GCP infrastructure, and datacenters for the build infra

Security operations consulting for the Firefox organization at large

The operations security group also owns the fraud pipeline (foxsec-pipeline) and secops tooling (frost, sops, etc.).

Risk Management

Responsibility for maintaining visibility into the security posture of the Firefox infrastructure.

Rapid Risk Assessments framework & associated tooling

Security posture reports & leadership reporting

Security Checklist

This has moved to https://github.com/mozilla-services/websec-check

About the logo

The Firefox Operations Security logo is derived from this work by Synth Agency, and published under Creative Commons Attribution-NonCommercial 4.0 International Public License.