AppSec Jobs
← Back to all jobs

Mozilla

Senior Security Engineer, Add-ons Operations

Remote CanadaWebsite

Full details on LinkedIn

The complete job description, requirements, and application details are available on the original posting.

About Mozilla

Mozilla is a global open-source software organization dedicated to promoting openness, innovation, and opportunity on the internet. Founded in 1998, it began when Netscape Communications Corporation released its browser suite source code, allowing programmers worldwide to contribute. Mozilla operates through two main entities: the Mozilla Foundation, a non-profit organization, and the Mozilla Corporation, a subsidiary that manages commercial operations. Mozilla's flagship product is the Firefox browser, a free and open-source web browser that emphasizes user choice and control. Other notable products include Thunderbird, an email client, and the Mozilla Developer Center, which provides resources for web standards and development. Mozilla also supports community initiatives, offering grants for web accessibility improvements and exploring new technology areas like Mozilla.ai. The organization thrives on collaboration, with thousands of volunteers contributing to its projects and initiatives globally.

Industry

information technology & services

Employees

1,800

634 engineers

Revenue

$653M

Website

Visit →

Security at Mozilla

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

  • Mozilla's stated AppSec mission is that "The Mozilla Security community provides leadership in security".
  • Their approach to developer enablement versus gatekeeping involves "embedding security into the full Software Development Life Cycle (SDLC).".
  • The risk philosophy includes "proactive threat modeling"and helping to "define the risks around your services and data".
  • Stated pain points or goals include to "reduce risk in applications"and "Help shape Mozilla's security culture".
  • Gaps identified include the lack of a publicly available explicit mission statement for an "Application Security"sub-team distinct from broader Security Assurance.
  • No public page labeled "AppSec organization charter.".

Security Team

Mozilla's security organization structure indicates that "Security at Mozilla is distributed among the following teams:", with Stephanie Domas, Vice President of Security, leading "Mozilla's global security team". Chris Karlof, VP of Services Engineering, is "responsible for the services and platforms that power Firefox". An estimate of team size is "Information not publicly available"based on a LinkedIn search. As of, there are 2 active AppSec job postings: "Staff Security Engineer"(Job ID: 7257630) and "Staff Security Engineer, Product Security"(Job ID: 7539147). Common skill and tool patterns mentioned in postings include "application security testing (SAST, DAST)", languages like "Python, Go, JavaScript", and tools such as "Burp Suite, Nessus". Gaps include the lack of a publicly available explicit org chart showing where "Application Security"engineers are embedded and precise team size.

Key Initiatives

The status of a Security Champions Program is "No Evidence Found — Information not publicly available". For "Shift Left"in practice, Mozilla aims to "Develop and maintain automated security tests within CI/CD pipelines to catch vulnerabilities early."and "Ensure software products are secure by embedding security into the full Software Development Life Cycle (SDLC).". The vulnerability management process involves intake via email to "security@mozilla.org"for reporting vulnerabilities, and guidelines exist "for fixing a core-security bug in Firefox", with coordination with the Security Incident Response Team on "incident retrospectives and follow up on security remediation". Secure SDLC artifacts include conducting "risk assessments and security reviews for SaaS and custom-developed applications and services", performing "security code reviews", and utilizing "Rapid Risk Assessment (RRA)". Recent initiatives (last 6 months) are "Information not publicly available". Gaps include no public evidence for an enterprise-wide Security Champions program, published SLAs for vulnerability remediation, or a publicly posted AppSec roadmap.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.