Security/Firefox/Security Bug Life Cycle: Difference between revisions

Security bugs in our product put people millions of people at risk. To fulfill Mozilla's mission we must discover those bugs, fix them, and ship those fixes. This process involves multiple teams across the organization. This page describes a bug-centric view of the tasks that are part of that process as a sort of outline to make sure we are executing on each step. There are also handy bugzilla queries that will be helpful for people as they work on each task.

Since this is a bug-centric view there are many important activities performed by Mozilla security teams that are not mentioned, or only briefly. Fuzzing, static analysis, and other research are an input into this process: a source of bug discovery (and much preferred to bugs being found in the wild). The analysis step described in this page can be an input to the efforts to harden Firefox against exploits (e.g. sandboxing, site-isolation, and mitigating XSS in privileged UI code).

'''Note:''' The bugzilla links in this document are intended for the people performing the tasks described in the sections where they are found. Most of them will yield empty or incomplete results unless you are logged in to bugzilla.mozilla.org and have access to security bugs.