Security/Firefox/Security Bug Life Cycle: Difference between revisions

← Older edit

Security/Firefox/Security Bug Life Cycle (view source)

Revision as of 06:58, 10 March 2020

839 bytes added , 10 March 2020

Fixing queries to find older fixed bugs

Dveditz

canmove, Confirmed users

637

edits

@@ Line 44: / Line 44: @@
 == VulnSmash ==
-We must make sure the most severe security bugs are kept on track. For these bugs:
+We must make sure the most severe security bugs (critical and high) are kept on track. For these bugs:
 * Set the priority to P1
+** This matches the Firefox project's definition of "Fix in this release", which is also roughly our required time-to-fix for security bugs of this severity. See the [https://mozilla.github.io/bug-handling/triage-bugzilla#what-do-you-triage triage guide].
+** It may be appropriate for engineers to lower the priority later after consulting with their manager and the security team. P1 is the default absent an explanation of why it's necessary to keep our users at severe risk.
 * Set the appropriate version status flags to “affected”
 * Set the version tracking flags to “+”
@@ Line 52: / Line 54: @@
 [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled&order=Last+Changed '''Open sec-critical and sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical&order=Last+Changed include stalled]) <br>
-[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled%20%40nobody '''Unassigned sec-critical/sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20%40nobody include stalled])
+[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled%20%40nobody '''Unassigned sec-critical/sec-high bugs''']([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20%40nobody include stalled])<br>
+[https://mzl.la/2PJblUW '''Sec-critical/sec-high bugs without a priority''']
 == Administrivia ==
@@ Line 83: / Line 85: @@
-== Landing Fixes ==
+== Landing Fixes and Tests ==
 External parties watch check-ins in order to identify security patches [https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/][https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html], and we have both documented and suspected cases of this for Firefox patches. We don’t want to 0-day ourselves by landing obvious fixes that sit in the tree for a long time before they are shipped in an update, and we especially don't want to land test cases that demonstrate how to trigger the vulnerability. The [https://wiki.mozilla.org/Security/Bug_Approval_Process '''Security Bug Approval Process'''] is designed to prevent that. Part of the approval process is evaluating what bugs need to be pushed to Beta and which are risky and need to ride the trains, and whether or not the patch is needed on supported ESR branches.
@@ Line 95: / Line 97: @@
-[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX%20flag%3Ain-testsuite%3F%20kw%3Asec-%20assignee%3A%25user%25 '''"My" security testcases that need landing'''] (personalized)<br>
+[https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&f3=status_whiteboard&j2=OR&f5=CP&v1=in-testsuite%3F&v4=sec-&o1=substring&o4=substring&f1=flagtypes.name&f4=keywords&f2=OP&v3=%5Bsg%3A&emailassigned_to1=1&emailtype1=substring&email1=%25user%25&o3=substring&list_id=15143453 '''"My" security testcases that need landing'''] (personalized)<br>
-[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX%20flag%3Ain-testsuite%3F%20kw%3Asec-&limit=0&order=cf_last_resolved '''All unlanded testcases for fixed security bugs''']<br>
+[https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&f3=status_whiteboard&j2=OR&f5=CP&v1=in-testsuite%3F&v4=sec-&o1=substring&o4=substring&f1=flagtypes.name&f4=keywords&f2=OP&v3=%5Bsg%3A&o3=substring&limit=0 '''All unlanded testcases for fixed security bugs''']<br>
 [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20sec-approval%3F '''Pending sec-approval requests''']
 <br>
@@ Line 113: / Line 115: @@
 == Security Advisories ==
-The fixed bugs that had been present in a shipped release need to have a CVE assigned and to be written up in our release advisories. Security fixes for recent regressions that only affected Nightly or Beta don’t need an advisory. [https://docs.google.com/document/d/1S5Gs-CSEvr4X4TiuWXrNP4wXxyjZJTO-Q00-PBZFasQ/edit# Advisory instructions]
+The fixed bugs that had been present in a shipped release need to have a CVE assigned and to be written up in our release advisories. Security fixes for recent regressions that only affected Nightly or Beta don’t need an advisory. [https://wiki.mozilla.org/Security/Firefox/Security_Bug_Life_Cycle/Security_Advisories Advisory instructions]
 For historical write-ups see our