User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36 Steps to reproduce: Hey there I found the existance of poodle attack in mail.mozilla.org I tested the domain using poodlescan.com and found it to be vulnerable Actual results: The SSL v3 is allowed on the domain making it vulnerable Expected results: The domain should not have been vulnerable
Awaiting your reply on this
Please use the list of available sites for the bounty program at https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs . This site is not on the list and, in fact, we have transitioned away from it for Mozilla email.
So this counts as a hostile sub domain. Don't you think that. Because one way or another it proves a vulnerability
It isn't on the list so it would have to be an extremely bad vulnerability in order to be worth a bounty. This is a subdomain scheduled to be decommissioned. I suggest actually using the list of eligible domains in the FAQ when looking for bounties.
I will, Thanks for the suggestion. And sorry for the stupid questions
The use of SSLv3 on this domain is voluntary. We're aware of the risks, and have accepted them. Thanks for reporting it, but this is not a vulnerability.