Yes, I have a patch up for review in https://bugzilla.mozilla.org/show_bug.cgi?id=2048561 ; sorry for the delay.
-tom On Mon, Jul 6, 2026 at 7:56 AM Kagami Rosylight <[email protected]> wrote: > > Hi Tom, > > Are we also updating > https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html > or does it already cover this update? We have > https://bugzilla.mozilla.org/show_bug.cgi?id=2052120 which implies no, but > double checking if someone is already on it. > > On Thursday, June 18, 2026 at 8:24:04 PM UTC+2 Tom Ritter wrote: >> >> On behalf of the security team, we wanted to take this opportunity to thank >> everyone for their continued resilience in the onslaught of security bugs, >> as well as the varying levels of quality we’ve been getting out of models. >> What works well one month seems to not work as well the next month, and >> we’re trying to adapt. >> >> >> We also want to try to reduce friction and give you more agency and the >> confidence to use it, so we’re changing some of the processes: >> >> >> The csectype-sandbox-escape keyword is for sandbox escapes to the Parent >> process *only* and where the attacker gets some sort of code exec or OS >> access (like arbitrary file read). If it’s to another process - it would >> get csectype-priv-escalation. If it’s “I can read another origin’s data” >> it’s csectype-site-isolation. >> >> When you are ready to land a patch, and the bug is not yet rated sec-high, >> moderate or low - please give it a rating. If you’re not sure how to rate >> it, leave us a simple comment saying the impact of the bug, and we will find >> it and rate it eventually. >> >> Examples: “With a compromised content process, an attacker can tell what >> websites you have open in PBM” or “In an unsupported configuration this is a >> sandbox escape” >> >> If you get any pushback from external reporters, you can just say something >> like “I will let the bug bounty committee review and correct it if needed.” >> >> The sec-approval process is being significantly trimmed. You will ONLY need >> to request sec-approval if the bug has the csectype-sandbox-escape tag. (We >> will typically hold these until midway through the cycle) >> >> Please ensure the tracking flags are set correctly for beta and esr branches >> though! >> >> >> We are updating our documentation, but please reach out if something is >> missing, outdated, or unclear. >> >> >> We’re also going to have more updates to processes this year - more detailed >> rating (and bounty) matrices that take into account different process types, >> automated rating and triage tools, so if you have feedback about how you >> would like things to work, please let us know. >> >> >> References: >> >> Client Severity Ratings and Keyword Definitions: >> https://wiki.mozilla.org/Security_Severity_Ratings/Client >> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADua4_v5e1JYUgEwDvaVz2v8Wh4Z41KzUsqCsOVQQKLAD74w4Q%40mail.gmail.com.
