Florian Weimer wrote: > where can I find an updated security bug policy? It seems that it's > been decided that crash bugs are not worth releasing advisories for, > but I couldn't find any confirmation.
The policy hasn't changed AFAIK, and it's still here: http://www.mozilla.org/projects/security/security-bugs-policy.html Unexploitable crashers (like null pointer access) have never been categorized as security issues in the Mozilla client products. Servers are a different thing, so even a null pointer crash in NSS or NSPR may be considered a security issue because of server DoS. -- Heikki Toivonen _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
