From MozillaWiki
Jump to: navigation, search


We have four team goals this quarter:

  • [NEW] Unify our security & privacy review operations with User Data Council work
    • Identify and document single point of contact for privacy+security by design.
    • Socialize flow for getting security/privacy/UDC involved early-on for in-flight aid in design and development.
  • [NEW] Mobile Fuzzing
    • Get LangFuzz to ARM architecture (Linux/Tegra)
    • Get LangFuzz to mobile (Browser on Android) - has dependency on Jetpack
  • [NEW] Finalize security criteria, ready to socialize along with a few other areas of non-feature work
  • [NEW] Telemetry/User Research - prioritize feature development and code hygiene work
    • Get stats on features we want to end-of-life (enablePrivilege, etc)
    • Frequency of cert errors (counting each of: expired, self-signed, wrong domain) and OCSP success/failures (nonresponses, server errors, revoked, valid) and frequency of mixed-content encountered (bucket mixed display and mixed scripting).

Start working on CA - scope of problems, avenues to explore, supporting experimentation

  • Meeting at 2 PT today


  • Evangelize security, both our team and processes, as well as security in general
  • Gary is going to Malaysia. Nov 18-20
    • Main topic: High level fuzz-testing overview
    • Security bug bounties
    • (not yet notified Gen or Mary)
  • Curtis is going to Berlin. Nov 10-14
    • Speaking: neurobiology of decision-making (?) > waiting to see if talk idea accepted
  • If you're interested in going and/or talking, ask Mary and Gen if you can get yourself invited?


  • Please use light/pastel background colors.
  • The new “private pads” feature is not as easy to use as we hoped.

User Research/Studies

Effort estimates

What would it take to use TestPilot or Telemetry to do studies? Here are some rough estimates for each study we wish to deploy:

  • TestPilot: (Roughly 3wks to data) ~1 week of coding, 2-5 days of UR team help, then duration of study deployment
    • Appropriate for web usage measurements (perhaps related to individuals' behaviors)
  • Telemetry: (Roughly 3wks to limited data) ~1 week of coding, time for review (2-5 days), in nightly immediately
    • Bigger sample every six weeks (as it graduates to Aurora, Beta, Release)
    • Appropriate for software performance measurements and feature usage measurements.

Ideas for studies

Any study will require at least cursory privacy review.


Recently Completed SecReviews

Recently Completed Privacy Reviews

Action Items

  • [dchan] will look at TP and telemetry studies to see how involved the coding is, and decide whether or not he wants to champion a study
  • [curtisk] Process request: send reminder mail to secreview attendees day before