On 09/18/2013 03:26 AM, Paul Theriault wrote:
There is an existing process for reporting security bugs at Mozilla, which
applies to Firefox OS bugs as well:
http://www.mozilla.org/security/
In summary: for all security issues send a mail to [email protected]
Good to know; I figured we had something like this already.
One thing that might help, and which is relatively simple, would be for
each of the functional teams (Media Apps, Browser, etc) to have a
designated security contact. They would keep up-to-date with the
existing Firefox OS security group and also help direct security-related
questions to the right people.
This would be great. I requested this on the internal list several months ago
(subject: 'Security engagement in a growing team') but did not get any
response. From that email:
- In other areas we follow a security champion model, where a representative
from each team is nominated as a security rep. There are plenty of security
conscious people in the various b2g teams, soI would like to create a group
containing reps from each team. Then a mailing list so security (team) can
reach out to these reps when needed, and vice versa.
Excellent. It sounds like we have the same idea. Security champions on
each functional team would definitely help keep everyone mindful of
security issues. At least on the media team, we don't talk much about
security, which I think is mostly because we don't (or at least, I
don't) have any direct contact with security folks.
There are probably other things that would help, e.g. thinking about
what kind of Bugzilla permissions we need to make things easier. Since
many of Mozilla's partners are competitors, we'd need to be careful. I'm
not entirely sure what we'd do here, since I don't currently have access
to security-sensitive bugs in the first place, but maybe those who do
would have ideas.
What issue are we trying to solve here? Making security issues more visible to
the various teams? If we had reps from each team, it may be appropriate to
grant them access to the b2g security sensitive bugs flag which may help?
Sorry for being vague. I was thinking in terms of what, if anything, we
should do with partners who regularly report issues for us. Should they
have access to security-sensitive bugs on Bugzilla? Just a subset of
those bugs? I'm not sure.
Maybe the status quo is right. I don't think I have the perspective to
say one way or the other, since I'm neither an external partner nor a
member of the security team at Mozilla.
Thanks for raising the profile of this issue - as the team grows, it becomes
more and more infeasible to be across the entire project. Ultimately security
is everyones responsibility, but it would be great to have elected reps in each
team who are more responsible for security, to prevent the situation where
everyone assumes that someone else is looking after it.
Agreed. I think it's also important to distribute this knowledge so we
can be aware of when we need *less* security, e.g. allowing some of our
Web APIs to be used by non-certified applications. With the exception of
some particularly-sensitive APIs (voice, SMS, etc), it would be nice if
we could gradually open up the APIs so that third parties can do
interesting things too.
- Jim
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
