Security/Firefox/Security Bug Life Cycle: Difference between revisions

← Older edit

Security/Firefox/Security Bug Life Cycle (view source)

Revision as of 06:58, 10 March 2020

1,211 bytes added , 10 March 2020

Fixing queries to find older fixed bugs

Dveditz

canmove, Confirmed users

637

edits

@@ Line 44: / Line 44: @@
 == VulnSmash ==
-We must make sure the most severe security bugs are kept on track. For these bugs:
+We must make sure the most severe security bugs (critical and high) are kept on track. For these bugs:
 * Set the priority to P1
+** This matches the Firefox project's definition of "Fix in this release", which is also roughly our required time-to-fix for security bugs of this severity. See the [https://mozilla.github.io/bug-handling/triage-bugzilla#what-do-you-triage triage guide].
+** It may be appropriate for engineers to lower the priority later after consulting with their manager and the security team. P1 is the default absent an explanation of why it's necessary to keep our users at severe risk.
 * Set the appropriate version status flags to “affected”
 * Set the version tracking flags to “+”
@@ Line 52: / Line 54: @@
 [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled&order=Last+Changed '''Open sec-critical and sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical&order=Last+Changed include stalled]) <br>
-[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled%20%40nobody '''Unassigned sec-critical/sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20%40nobody include stalled])
+[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled%20%40nobody '''Unassigned sec-critical/sec-high bugs''']([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20%40nobody include stalled])<br>
+[https://mzl.la/2PJblUW '''Sec-critical/sec-high bugs without a priority''']
 == Administrivia ==
@@ Line 83: / Line 85: @@
-== Landing Fixes ==
+== Landing Fixes and Tests ==
-External parties watch our check-ins in order to identify security patches; we have several documented cases of this. We don’t want to 0-day ourselves by landing obvious fixes that sit in the tree for a long time before they are shipped in an update, and we especially don't want to land test cases that demonstrate how to trigger the vulnerability. The [https://wiki.mozilla.org/Security/Bug_Approval_Process '''Security Bug Approval Process'''] is designed to prevent that. Part of the approval process is evaluating what bugs need to be pushed to Beta and which are risky and need to ride the trains, and whether or not the patch is needed on supported ESR branches.
+External parties watch check-ins in order to identify security patches [https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/][https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html], and we have both documented and suspected cases of this for Firefox patches. We don’t want to 0-day ourselves by landing obvious fixes that sit in the tree for a long time before they are shipped in an update, and we especially don't want to land test cases that demonstrate how to trigger the vulnerability. The [https://wiki.mozilla.org/Security/Bug_Approval_Process '''Security Bug Approval Process'''] is designed to prevent that. Part of the approval process is evaluating what bugs need to be pushed to Beta and which are risky and need to ride the trains, and whether or not the patch is needed on supported ESR branches.
-Testcases for vulnerability fixes should be split into a separate patch for this "sec-approval" process. These testcases should land ''after'' we have shipped the fix in Release, usually by a few weeks to give users time to have applied the update. We '''must''' track the task of landing these patches later. You have two main options, and either are fine:
+Testcases for vulnerability fixes should be split into a separate patch for this "sec-approval" process. These testcases should land ''after'' we have shipped the fix in Release, usually by a few weeks to give users time to have applied the update. We '''must''' track the task of landing these patches later. You have two main options and either is fine. A task bug is more upfront work but more straightforward; the flag is easy but requires more follow-up.
-# Create a task bug assigned to yourself ("Land tests for bug XXXX"). It must be a hidden security bug like the main vulnerability was. Add the keyword '''sec-other''', or
+:'''Option 1:''' Create a task bug assigned to yourself ("Land tests for bug XXXX") that depends on the vulnerability bug. It must be a hidden security bug like the main vulnerability. Add the keyword <code>sec-other</code>
-# Track it in the original bug using the '''in-testsuite?''' flag. If you go this route you must remember to check for un-landed tests (queries below). Once the tests are landed change the flag to '''in-testsuite+'''.
+:'''Option 2:''' Track it in the original bug using the <code>in-testsuite?</code> flag. If you go this route you must remember to check for un-landed tests (queries below). Once the tests are landed change the flag to <code>in-testsuite+</code>
+[https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&f3=status_whiteboard&j2=OR&f5=CP&v1=in-testsuite%3F&v4=sec-&o1=substring&o4=substring&f1=flagtypes.name&f4=keywords&f2=OP&v3=%5Bsg%3A&emailassigned_to1=1&emailtype1=substring&email1=%25user%25&o3=substring&list_id=15143453 '''"My" security testcases that need landing'''] (personalized)<br>
+[https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&f3=status_whiteboard&j2=OR&f5=CP&v1=in-testsuite%3F&v4=sec-&o1=substring&o4=substring&f1=flagtypes.name&f4=keywords&f2=OP&v3=%5Bsg%3A&o3=substring&limit=0 '''All unlanded testcases for fixed security bugs''']<br>
 [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20sec-approval%3F '''Pending sec-approval requests''']
-[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX%20flag%3Ain-testsuite%3F%20kw%3Asec-%20assignee%3A%25user%25 '''"My" security bug testcases that need landing''']
+<br>
-[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX%20flag%3Ain-testsuite%3F%20kw%3Asec-&limit=0&order=cf_last_resolved '''All unlanded testcases for fixed security bugs''']
+<br>
 == Verifying Fixes ==
@@ Line 111: / Line 115: @@
 == Security Advisories ==
-The fixed bugs that had been present in a shipped release need to have a CVE assigned and to be written up in our release advisories. Security fixes for recent regressions that only affected Nightly or Beta don’t need an advisory. [https://docs.google.com/document/d/1S5Gs-CSEvr4X4TiuWXrNP4wXxyjZJTO-Q00-PBZFasQ/edit# Advisory instructions]
+The fixed bugs that had been present in a shipped release need to have a CVE assigned and to be written up in our release advisories. Security fixes for recent regressions that only affected Nightly or Beta don’t need an advisory. [https://wiki.mozilla.org/Security/Firefox/Security_Bug_Life_Cycle/Security_Advisories Advisory instructions]
 For historical write-ups see our