Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions

Jump to navigation Jump to search

Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)

Revision as of 14:36, 28 May 2020

64 bytes added ,  28 May 2020
→‎Process: do CVEs earlier, to give distributors a smoother process.
No edit summary
(→‎Process: do CVEs earlier, to give distributors a smoother process.)
Line 57: Line 57:
* use-after-free not 'use after free'
* use-after-free not 'use after free'
* Check if there are no community members on the rollup, and if so, remove that bit
* Check if there are no community members on the rollup, and if so, remove that bit
=== Get review ===
Confirm with dveditz ahead of time that he can take a look with a turn-around time of 2-3 days, and then send the yml files to him about a week or 8 days before the release date. Make edits.
Following that round, send the .yml files to the security-group list and solicit more feedback.  This should be done about 4 days before the release.


=== Assign CVEs ===
=== Assign CVEs ===
Line 73: Line 67:


The CVE ID is unique per bug except for the internal roll-up advisories, which use one CVE ID for a list of bugs. (The CVE assignment process can be complicated because Mitre imposes many rules on CVE assignment and requires communication back in specified data formats when CVEs are assigned. Failure to follow this process can result in Mitre refusing to hand out additional CVE IDs for use.)
The CVE ID is unique per bug except for the internal roll-up advisories, which use one CVE ID for a list of bugs. (The CVE assignment process can be complicated because Mitre imposes many rules on CVE assignment and requires communication back in specified data formats when CVEs are assigned. Failure to follow this process can result in Mitre refusing to hand out additional CVE IDs for use.)
=== Get review ===
Confirm with dveditz ahead of time that he can take a look with a turn-around time of 2-3 days, and then send the yml files to him about a week or 8 days before the release date. Make edits.
Following that round, send the .yml files to the security-group list and solicit more feedback.  '''This should be done about 4 days before the release.'''


=== Release ===
=== Release ===


Once CVEs are assigned, the yml files are checked into git and staged in the private https://github.com/mozilla/foundation-security-advisories-private/ repo. Release management will pull from this repo and commit it to the public https://github.com/mozilla/foundation-security-advisories/ repo which will make them live on the site in moments.
Before releasing ensure that no last-days uplift happened that would be ommitted. The yml files are checked into git and staged in the private https://github.com/mozilla/foundation-security-advisories-private/ repo. Release management will pull from this repo and commit it to the public https://github.com/mozilla/foundation-security-advisories/ repo which will make them live on the site in moments.
Fbraun
Confirmed users
236

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1227688"

Navigation menu