124
edits
Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions
Jump to navigation
Jump to search
Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)
Revision as of 19:57, 14 November 2019
, 14 November 2019→Criteria
| Line 15: | Line 15: | ||
==== Criteria ==== | ==== Criteria ==== | ||
* All client bugs that ship in Firefox reported in Bugzilla with a sec-critical, sec-high, sec-moderate, or sec-low rating are normally included in an advisory. | |||
* Exceptions are occasionally made for sec-low rated issues, especially internal reports, deemed too minor for advisory inclusion. | |||
* Internally found memory corruption issues, usually found by developers or members of the fuzzing team, are included in a “roll-up” advisory that is a list of internally found and fixed issues affecting the previous release that were reported by employees or longtime community members. This roll up does not get a detailed advisory but is simply a list of internally found issues. | |||
* Externally reported security bugs with security ratings always receive an advisory outside of the above parameters if they affected a shipped Firefox release. | |||
* Internally-found vulnerabilities that are not simple memory corruption usually get a separate advisory and don't go in the "roll-up". | |||
* Vulnerabilities that only existed in Nightly or Beta versions do not need an advisory. | |||
==== Tag them ==== | ==== Tag them ==== | ||