Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions

- All client bugs that ship in Firefox reported in Bugzilla with a sec-critical, sec-high, sec-moderate, or sec-low rating are normally included in an advisory.  

- Exceptions are occasionally made for sec-low rated issues, especially internal reports, deemed too minor for advisory inclusion.

- Internally found memory corruption issues, usually found by developers or members of the fuzzing team, are included in a “roll-up” advisory that is a list of internally found and fixed issues affecting the previous release that were reported by employees or longtime community members. This roll up does not get a detailed advisory but is simply a list of internally found issues.

- Externally reported security bugs with security ratings always receive an advisory outside of the above parameters if they affected a shipped Firefox release.

- Internally-found vulnerabilities that are not simple memory corruption usually get a separate advisory and don't go in the "roll-up".

- Vulnerabilities that only existed in Nightly or Beta versions do not need an advisory.