This policy applies to MDN's website (developer.mozilla.org), backend services, and GitHub repositories in the mdn organization. Issues affecting other Mozilla products or services should be reported through the Mozilla Security Bug Bounty Program.

For non-security issues, please file a content bug, a website bug or a content/feature suggestion.

If you discover a potential security issue, please report it privately via https://hackerone.com/mozilla.

If you prefer not to use HackerOne, you can report it via https://bugzilla.mozilla.org/form.web.bounty.

Vulnerabilities in MDN may qualify for Mozilla's Bug Bounty Program. Eligibility and reward amounts are described on https://hackerone.com/mozilla.

Please use the above channels even if you are not interested in a bounty reward.

Please do not publicly disclose details until Mozilla's security team and the MDN engineering team have verified and fixed the issue.

We appreciate your efforts to keep MDN and its users safe.