Hi Tom, Are we also updating https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html or does it already cover this update? We have https://bugzilla.mozilla.org/show_bug.cgi?id=2052120 which implies no, but double checking if someone is already on it.
On Thursday, June 18, 2026 at 8:24:04 PM UTC+2 Tom Ritter wrote: > On behalf of the security team, we wanted to take this opportunity to > thank everyone for their continued resilience in the onslaught of security > bugs, as well as the varying levels of quality we’ve been getting out of > models. What works well one month seems to not work as well the next month, > and we’re trying to adapt. > > We also want to try to reduce friction and give you more agency and the > confidence to use it, so we’re changing some of the processes: > > > 1. > > The csectype-sandbox-escape keyword is for sandbox escapes to the > Parent process *only* and where the attacker gets some sort of code exec > or > OS access (like arbitrary file read). If it’s to another process - it > would get csectype-priv-escalation. If it’s “I can read another origin’s > data” it’s csectype-site-isolation. > 2. > > When you are ready to land a patch, and the bug is not yet rated > sec-high, moderate or low - please give it a rating. If you’re not sure > how to rate it, leave us a simple comment saying the impact of the bug, > and > we will find it and rate it eventually. > 1. > > Examples: “With a compromised content process, an attacker can tell > what websites you have open in PBM” or “In an unsupported configuration > this is a sandbox escape” > 2. > > If you get any pushback from external reporters, you can just say > something like “I will let the bug bounty committee review and correct > it > if needed.” > 3. > > The sec-approval process is being significantly trimmed. You will > ONLY need to request sec-approval if the bug has the > csectype-sandbox-escape tag. (We will typically hold these until midway > through the cycle) > 1. > > Please ensure the tracking flags are set correctly for beta and esr > branches though! > > > We are updating our documentation, but please reach out if something is > missing, outdated, or unclear. > > We’re also going to have more updates to processes this year - more > detailed rating (and bounty) matrices that take into account different > process types, automated rating and triage tools, so if you have feedback > about how you would like things to work, please let us know. > > References: > > Client Severity Ratings and Keyword Definitions: > https://wiki.mozilla.org/Security_Severity_Ratings/Client > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/6776664d-58d4-4f56-9782-47ce11cf0ba4n%40mozilla.org.
