124
edits
Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions
Jump to navigation
Jump to search
Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)
Revision as of 16:25, 8 December 2022
, 8 December 2022→Criteria
No edit summary |
|||
| Line 16: | Line 16: | ||
* Externally reported security bugs with security ratings always receive an advisory outside of the above parameters if they affected a shipped Firefox release. | * Externally reported security bugs with security ratings always receive an advisory outside of the above parameters if they affected a shipped Firefox release. | ||
* ASAN Nightly bugs go into the roll-up advisory. | * ASAN Nightly bugs go into the roll-up advisory. | ||
* Sometimes we know a large library update will fix vulnerabilities, but we don't know _which_ vulnerabilities it fixes (often upstream does not assign CVEs, and we aren't allowed to assign CVEs for them) or if there are vulnerabilities at all (but we suspect there are.) We try to avoid this, but in these cases, it's acceptable to issue a CVE with details like e.g. 'Angle graphics library out of date' - 'An out of date graphics library (Angle) [likely] contained vulnerabilities that could potentially be exploited.' | |||
* Internally-found vulnerabilities that are not simple memory corruption usually get a separate advisory and don't go in the roll-up | * Internally-found vulnerabilities that are not simple memory corruption usually get a separate advisory and don't go in the roll-up | ||
* Vulnerabilities that only existed in Nightly or Beta versions do not need an advisory. | * Vulnerabilities that only existed in Nightly or Beta versions do not need an advisory. | ||