1286192 - No SPF record on getfirefox.com and browserid.org

Status: RESOLVED FIXED

(Infrastructure & Operations :: Infrastructure: Mail, task)

Description

[Takashi]

I had checked SPF record on newly added eligible domains.

These two domains are missing SPF record.

getfirefox.com

browserid.org

Comment 1

[Takashi]

off-topic comment

I checked whether my report is duplicate. "mozilla.org" and "firefox.com" are reported in the past, but I believe "getfirefox.com" and "browserid.org" have not been reported yet. If this is a duplicate issue, I am really sorry.

It's not clear to me that these domain's SPF are important for your team.

Another company paid bounty to a researcher even if no email was sent from reported domain.

source:  https://hackerone.com/reports/92740

I have no way to evaluate this, but I reported to your team because I believe this is "Missing Additional Security Controls(sec-moderate)."

Comment 2

[April King [:April]]

It's more of a mail infrastructure issue than a website bug.  We have hundreds of domains, and while this hasn't really been a problem in the (4 and 11 years) that these domains have been around respectively, it's still probably best practice to get SPF records on them, if we're not sending mail from them.

> v=spf1 -all

Comment 3

[Ed Lim [:limed]]

I can agree on adding:

> v=spf1 -all

To non email delivery / sending domains. 

I've added the rule for getfirefox.com however I don't control browserid.org so I can't change the DNS entries for that particular domain.

Comment 4

[Ed Lim [:limed]]

CC'ed appropriate person for browserid.org

Comment 5

[Daniel Veditz [:dveditz]]

Missing anti-spam protections are not eligible for a bug bounty

Comment 6

[Ed Lim [:limed]]

Nothing else on my part here