Security/Firefox/Security Bug Life Cycle: Difference between revisions

Security/Firefox/Security Bug Life Cycle (view source)

Revision as of 20:08, 21 October 2019

498 bytes added , 21 October 2019

Link to document that supports the use of P1 for severe security bugs

Dveditz

canmove, Confirmed users

637

edits

@@ Line 44: / Line 44: @@
 == VulnSmash ==
-We must make sure the most severe security bugs are kept on track. For these bugs:
+We must make sure the most severe security bugs (critical and high) are kept on track. For these bugs:
 * Set the priority to P1
+** This matches the Firefox project's definition of "Fix in this release", which is also roughly our required time-to-fix for security bugs of this severity. See the [https://mozilla.github.io/bug-handling/triage-bugzilla#what-do-you-triage triage guide].
+** It may be appropriate for engineers to lower the priority later after consulting with their manager and the security team. P1 is the default absent an explanation of why it's necessary to keep our users at severe risk.
 * Set the appropriate version status flags to “affected”
 * Set the version tracking flags to “+”
@@ Line 53: / Line 55: @@
 [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled&order=Last+Changed '''Open sec-critical and sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical&order=Last+Changed include stalled]) <br>
 [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled%20%40nobody '''Unassigned sec-critical/sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20%40nobody include stalled])
 == Administrivia ==