Mozilla recently announced some changes to the way it will interact with members of the security community who contribute code, bug reports and fixes for the Firefox Web browser and other open source tools under Mozilla’s watch. Michael Coates, director of security assurance at Mozilla, recently answered some questions about the changes and how they will impact how the organization deals with security researchers.
Threatpost: Rebooting suggests a lot of things; can you elaborate on the changes and what’s new here?
Michael Coates: The strength of Mozilla has always been our community. The Mozilla Security Group consists of security experts from all over the world in a variety of disciplines. In addition, we have numerous security contributors through bug bounties, code patches and more. Our goal in rebooting security engagement at Mozilla is to create additional paths for contributors to engage with security at Mozilla, grow the overall security community, and foster security skill development with everyone involved.
As part of our reboot we’ve introduced two new programs, Security Champions and Mentorships. The Security Champions program identifies subject matter experts in various parts of Mozilla that are interested in growing security knowledge as a complimentary skill to leverage within their teams. The Mentorship program is an effort to engage with talented individuals throughout the world to collaborate on security specific projects with the assistance of a Mozilla security mentor.
Threatpost: How do you envision contributors working toward creating open source tools for security work? What would it look like? What are some challenges there?
Michael Coates: At Mozilla we strongly believe in an open approach to security that engages the security community. Recently we’ve been working to foster the development of quality open source security tools. The main challenge in security tool development is identifying talented individuals and building pragmatic security solutions that are usable within a secure software development lifecycle. The Mentorship program will tackle these challenges by pairing skilled contributors with experienced security experts. In addition, the great part of all this work is that everyone will reap the rewards. The code and tools will all be open source and available for everyone to use.
Threatpost: How does the new program provide a path toward working with security at Mozilla?
Michael Coates: We’re not changing any of the current methods for contributing to Mozilla’s security efforts, what we are doing is finding ways of engaging that are cognizant of the challenges unique to the area. Contributors can decide for themselves how they want to be engaged, what best fits their personal growth plans and level of commitment to that effort. Through these programs individuals can grow their security skills, involvement, and contributions to Mozilla and the security industry.
Threatpost: Can you differentiate between contributors, champions and mentors?
Michael Coates: Traditionally, our security contributors have provided development efforts, code patches or identified vulnerabilities through our bounty program. The Security Champions program will identify subject matter experts in various areas throughout Mozilla that will bolster security as a secondary skill. These individuals will build security skills with our Mozilla security group and will spread security practices and knowledge their teams on a daily basis. Mentors are experts in a particular security area that will assist and grow mentees as the mentee works to complete a security project, tool, or other selected idea.
Threatpost: Are you looking for new Mozilla employees? Or would these contributors/champions/mentors be outsiders?
Michael Coates: The goal of these new programs is to continue to grow and expand the Mozilla security community. Mozilla is awesome because of the collaborative expertise of a worldwide network of volunteers. Of course not all contributors have access to the most critical-bugs, these are assigned to our security group that has both employees and trusted and vouched for community contributors as members. We believe that this approach together with these new programs will further advance security at Mozilla, result in personal growth for everyone involved, and push forward the state of security as a whole.
Threatpost: What would be the motivation for someone to become involved in the program?
Michael Coates: A desire to grow their skills, to learn about security and apply their creative thinking in solving security and privacy issues. In addition, the mentor program enables an individual to work directly with an experienced security professional. Much of our initial interest has come from academia, where students are looking to add to their course work in preparation for future careers.
Threatpost: How productive/helpful has the bug bounty program for Mozilla?
Michael Coates: The bug bounty has been extremely productive at Mozilla. The browser bug bounty program started in 2004 and critical web applications were included in 2010. The overall goal of this program has been to foster security research and innovation with the overall impact of a more secure products and applications for our users. Over the past 8 years we’ve paid over $750,000 in bounties to security researches and we’ve found the program to be a huge success. We’ve helped develop a large network of security researchers, identified and fixed security concerns before users were at risk, and helped advance various aspects of building and testing secure software.
Threatpost: What kind of contributor engagement would you like to see beyond bug bounty-related work?
Michael Coates: Through these programs we hope to see creative and talented individuals engage to create great security tools, code, and projects in areas of mutual interest. The contribution of tools and techniques to help developers find and avoid security issues early in the development lifecycle is one area we think is particularly valuable.
Threatpost: Is this similar to something like Microsoft’s focus on researchers building defensive technology, rather than just submitting vulnerabilities?
Michael Coates: I don’t have the specifics of Microsoft’s program, but the Mozilla Security Champions and Mentorship programs are a natural evolution of the community-focused and open source nature that has always driven Mozilla and our code. Through the Mozilla Security Group and programs like our bounty program, we’ve always engaged our security community to help build secure and robust software. Our two new programs are another approach to provide resources and a framework to foster awesome security research, development and growth. We believe this program will benefit the security of Mozilla, our users, and also provide personal growth for the individuals involved. There is an untapped talent eager to make a difference in the security world and this program provides a path to make it possible.