Hi Tom,

Are we also updating 
https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html
 or 
does it already cover this update? We have 
https://bugzilla.mozilla.org/show_bug.cgi?id=2052120 which implies no, but 
double checking if someone is already on it.

On Thursday, June 18, 2026 at 8:24:04 PM UTC+2 Tom Ritter wrote:

> On behalf of the security team, we wanted to take this opportunity to 
> thank everyone for their continued resilience in the onslaught of security 
> bugs, as well as the varying levels of quality we’ve been getting out of 
> models. What works well one month seems to not work as well the next month, 
> and we’re trying to adapt.
>
> We also want to try to reduce friction and give you more agency and the 
> confidence to use it, so we’re changing some of the processes:
>
>
>    1. 
>    
>    The csectype-sandbox-escape keyword is for sandbox escapes to the 
>    Parent process *only* and where the attacker gets some sort of code exec 
> or 
>    OS access (like arbitrary file read).  If it’s to another process - it 
>    would get csectype-priv-escalation. If it’s “I can read another origin’s 
>    data” it’s csectype-site-isolation.
>    2. 
>    
>    When you are ready to land a patch, and the bug is not yet rated 
>    sec-high, moderate or low - please give it a rating.  If you’re not sure 
>    how to rate it, leave us a simple comment saying the impact of the bug, 
> and 
>    we will find it and rate it eventually.
>    1. 
>       
>       Examples: “With a compromised content process, an attacker can tell 
>       what websites you have open in PBM” or “In an unsupported configuration 
>       this is a sandbox escape”
>       2. 
>       
>       If you get any pushback from external reporters, you can just say 
>       something like “I will let the bug bounty committee review and correct 
> it 
>       if needed.”
>       3. 
>    
>    The sec-approval process is being significantly trimmed.  You will 
>    ONLY need to request sec-approval if the bug has the 
>    csectype-sandbox-escape tag.  (We will typically hold these until midway 
>    through the cycle)
>    1. 
>       
>       Please ensure the tracking flags are set correctly for beta and esr 
>       branches though!
>       
>
> We are updating our documentation, but please reach out if something is 
> missing, outdated, or unclear.
>
> We’re also going to have more updates to processes this year - more 
> detailed rating (and bounty) matrices that take into account different 
> process types, automated rating and triage tools, so if you have feedback 
> about how you would like things to work, please let us know.
>
> References:
>
> Client Severity Ratings and Keyword Definitions: 
> https://wiki.mozilla.org/Security_Severity_Ratings/Client 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/6776664d-58d4-4f56-9782-47ce11cf0ba4n%40mozilla.org.

Reply via email to