* Heikki Toivonen: > Florian Weimer wrote: >> where can I find an updated security bug policy? It seems that it's >> been decided that crash bugs are not worth releasing advisories for, >> but I couldn't find any confirmation. > > The policy hasn't changed AFAIK, and it's still here: > http://www.mozilla.org/projects/security/security-bugs-policy.html
The policy does not really define what a security bug is. Definitions tend to vary, especially with respect to crash-only bugs. > Unexploitable crashers (like null pointer access) have never been > categorized as security issues in the Mozilla client products. Okay, thanks. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security