On behalf of the security team, we wanted to take this opportunity to thank
everyone for their continued resilience in the onslaught of security bugs,
as well as the varying levels of quality we’ve been getting out of models.
What works well one month seems to not work as well the next month, and
we’re trying to adapt.
We also want to try to reduce friction and give you more agency and the
confidence to use it, so we’re changing some of the processes:
1.
The csectype-sandbox-escape keyword is for sandbox escapes to the Parent
process *only* and where the attacker gets some sort of code exec or OS
access (like arbitrary file read). If it’s to another process - it would
get csectype-priv-escalation. If it’s “I can read another origin’s data”
it’s csectype-site-isolation.
2.
When you are ready to land a patch, and the bug is not yet rated
sec-high, moderate or low - please give it a rating. If you’re not sure
how to rate it, leave us a simple comment saying the impact of the bug, and
we will find it and rate it eventually.
1.
Examples: “With a compromised content process, an attacker can tell
what websites you have open in PBM” or “In an unsupported configuration
this is a sandbox escape”
2.
If you get any pushback from external reporters, you can just say
something like “I will let the bug bounty committee review and correct it
if needed.”
3.
The sec-approval process is being significantly trimmed. You will ONLY
need to request sec-approval if the bug has the csectype-sandbox-escape
tag. (We will typically hold these until midway through the cycle)
1.
Please ensure the tracking flags are set correctly for beta and esr
branches though!
We are updating our documentation, but please reach out if something is
missing, outdated, or unclear.
We’re also going to have more updates to processes this year - more
detailed rating (and bounty) matrices that take into account different
process types, automated rating and triage tools, so if you have feedback
about how you would like things to work, please let us know.
References:
Client Severity Ratings and Keyword Definitions:
https://wiki.mozilla.org/Security_Severity_Ratings/Client
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADua4_v3j7FyXNyoSzH%3DqVaraJaf-73hsXwVN0M0gmz2OvpfZA%40mail.gmail.com.
