Security/Process/Secreview Bug Process

From MozillaWiki
< Security‎ | Process
Revision as of 22:31, 8 November 2013 by Curtisk (talk | contribs) (Created page with " Status: Draft Date: 2013.11.08 ToDo: * Jump point for Vendor Reviews * Jump point for Technical Privacy Reviews ==Document Purpose== This document describes the lifecycl...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Status: Draft
Date: 2013.11.08
ToDo:
* Jump point for Vendor Reviews
* Jump point for Technical Privacy Reviews

Document Purpose

This document describes the lifecycle of bugs used for engaging the Security teams in security review activities. This may include bugs for OpSec or ApSec review.

Initiating the Process

Bugs enter the process in one of 2 ways:

  1. The flag sec-review is set to ?
    • Notes:
      • Not used for bugs not already in Security Assurance component.
      • Do not set a requestee for the flag as that interfiers with triage.
  2. A new bug is created in the Security Assurance: Review Request component


Bugs using sec-review ?

  • Bugs will be triaged weekly by the Secuirty Program Management team (currently Wednesdays at 2pm PST).
  • The sec-review requestee will be set to a member of the team who will prefrom the neccessary work.
  • Bugs with work estimate < 1hr
    • Notes of the work preformed will be direclty logged in the bug as a comment. Any security sensitive issues found will be filled in the same component and block the original bug with appropriate security flags set.
  • Bugs with work estimate > 1hr
    • File a bug in the Security Assurance: Review Request component and follow the process below.

Questions to Address within Request Body

Security Assurance Review Request

  1. Who is/are the point of contact(s) for this review?
  2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
  3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
  4. Does this request block another bug? If so, please indicate the bug number
  5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
  6. To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?
  7. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
    • Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
    • Are there any portions of the project that interact with 3rd party services?
    • Will your application/service collect user data? If so, please describe
  8. If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
  9. Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.


Component = Security Assurance: Review Request -OR- flag = sec-reveiw ?