Handling of security bugs is flawed

Wed, 10 Feb 2016 03:10:09 -0800

I am sorry for having to write this email. I would have preferred Mozilla to fix this internally. I will try to hide any bug details as I still think that there is no use in disclosing these bugs publicly.
I have reported two security bugs (1226977, 1226979) in Firefox 80 days ago on November 22, 2015 and sent notification emails about them to [email protected] on November 22, 2015, December 2, 2015, and January 6, 2016 (the last one including Chris Beard to make management aware that something is wrong at Mozilla). Apart from auto-replies ("[...] we'll investigate and follow up with your message shortly."), I only received one answer to my second email stating that some developers would not hopefully have a look at them. Though, these bugs have not even been confirmed by Mozilla by now! 


I think it is not enough to say "We are a foundation, we are good!" and 
the Mozilla Mainfesto ("Individuals' security [...] must not be treated 
as optional.") becomes total marketing slang if it has no defined and 
verifiable practical consequences. One bug I reported is related to 
software of another (commercial) software vendor, who has confirmed and 
discussed it within 24 hours after reporting (despite the bug most 
actually being in Firefox) without having a Mozilla Manifesto.



Neither "Handling Mozilla Security Bugs" policy 
(<https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/>) 
nor the "Client Bug Bounty Program" 
(<https://www.mozilla.org/en-US/security/client-bug-bounty/>) include 
any timeframe but I believe 80 days for even trying to confirm a 
security bug is way too much. I guess it would be a good idea to include 
specific timeframes in the policy, like a default of 7 days for 
confirming and 60 days of fixing security bugs. To make this verifiable 
by public, Bugzilla could send reminders (only including bug numbers) 
about security-sensitive bugs that are still unconfirmed/unfixed after 
these timeframes to a public mailing list, where at least a target date 
for their confirmation/resolution could be discussed.



Needless to say, it is also not very satisfying to spend time on writing 
a reduced test case and reporting security bugs and to then have to 
spend even more time on keeping the issue in your mind and making 
Mozilla even look at it but face total ignorance.


Best regards,
Rafael
_______________________________________________
governance mailing list
[email protected]
https://lists.mozilla.org/listinfo/governance






















					Reply via email to