Security bug fix process needs clearly defined escalation process to be effective
Bug management/escalation process
- Two days after a sec-crit or sec-hi bug was assigned, if no update on the bug, the assignee will be receive an overdue email. If no activity on the bug for another day, assignee’s manager will be needinfo-ed, This step will continue to escalate every 2 days until the bug is updated with next step. The escalation process stops when an developer is assigned to investigate and fix this P1 bug and provided provided update on how to land the patch with estimate.
- Weekly security bug status report will be send to engineering managers, engineering directors, Head of Trust and Safety, and release drivers
- Every two weeks, the stakeholders will meet to review the sec-hi and sec-crit bug status for a relevant releases. Each role is defined in [1]
- Roles of stakeholders:
- Driver: Wennie Leung
- Approvers: Dan Veditz, Wennie Leung, Release owner of a relevant release (rotating)
- Consult/Contributor: Marshall Erwin, Director of Trust and Safety; Emma Humphries, Bugmaster.
- Informed: Engineering Directors: Selena Deckelmann, Joe Hildebrand, Chris Karloff
- Meeting agenda:
- Review the security bug status
- Resolve the security bug fixes exceptions: timeline for bug fix and priorities
- Determine the list of security bugs can be shipped with the release without compromising its security and quality.
- Roles of stakeholders:
- Escalation path
- In the event that agreement cannot be reached by the sec bug stakeholders, issues will be escalated to Sr Director of Engineering, Dave Camp and SVP of Firefox Mark Mayo for a decision.