Yes, I have a patch up for review in
https://bugzilla.mozilla.org/show_bug.cgi?id=2048561 ; sorry for the
delay.

-tom

On Mon, Jul 6, 2026 at 7:56 AM Kagami Rosylight <[email protected]> wrote:
>
> Hi Tom,
>
> Are we also updating 
> https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html
>  or does it already cover this update? We have 
> https://bugzilla.mozilla.org/show_bug.cgi?id=2052120 which implies no, but 
> double checking if someone is already on it.
>
> On Thursday, June 18, 2026 at 8:24:04 PM UTC+2 Tom Ritter wrote:
>>
>> On behalf of the security team, we wanted to take this opportunity to thank 
>> everyone for their continued resilience in the onslaught of security bugs, 
>> as well as the varying levels of quality we’ve been getting out of models. 
>> What works well one month seems to not work as well the next month, and 
>> we’re trying to adapt.
>>
>>
>> We also want to try to reduce friction and give you more agency and the 
>> confidence to use it, so we’re changing some of the processes:
>>
>>
>> The csectype-sandbox-escape keyword is for sandbox escapes to the Parent 
>> process *only* and where the attacker gets some sort of code exec or OS 
>> access (like arbitrary file read).  If it’s to another process - it would 
>> get csectype-priv-escalation. If it’s “I can read another origin’s data” 
>> it’s csectype-site-isolation.
>>
>> When you are ready to land a patch, and the bug is not yet rated sec-high, 
>> moderate or low - please give it a rating.  If you’re not sure how to rate 
>> it, leave us a simple comment saying the impact of the bug, and we will find 
>> it and rate it eventually.
>>
>> Examples: “With a compromised content process, an attacker can tell what 
>> websites you have open in PBM” or “In an unsupported configuration this is a 
>> sandbox escape”
>>
>> If you get any pushback from external reporters, you can just say something 
>> like “I will let the bug bounty committee review and correct it if needed.”
>>
>> The sec-approval process is being significantly trimmed.  You will ONLY need 
>> to request sec-approval if the bug has the csectype-sandbox-escape tag.  (We 
>> will typically hold these until midway through the cycle)
>>
>> Please ensure the tracking flags are set correctly for beta and esr branches 
>> though!
>>
>>
>> We are updating our documentation, but please reach out if something is 
>> missing, outdated, or unclear.
>>
>>
>> We’re also going to have more updates to processes this year - more detailed 
>> rating (and bounty) matrices that take into account different process types, 
>> automated rating and triage tools, so if you have feedback about how you 
>> would like things to work, please let us know.
>>
>>
>> References:
>>
>> Client Severity Ratings and Keyword Definitions: 
>> https://wiki.mozilla.org/Security_Severity_Ratings/Client
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADua4_v5e1JYUgEwDvaVz2v8Wh4Z41KzUsqCsOVQQKLAD74w4Q%40mail.gmail.com.

Reply via email to