On Sep 18, 2013, at 9:47 AM, Christopher Lee wrote: > +dev-b2g for additional input/thoughts > > Thanks, > Chris > > ----- Original Message ----- >> From: "Jim Porter" <jpor...@mozilla.com> >> To: "Chris Lee" <c...@mozilla.com>, "martin kurze" >> <martin.ku...@telekom.de>, ma...@sec.t-labs.tu-berlin.de >> Sent: Tuesday, September 17, 2013 6:20:43 PM >> Subject: Firefox OS security discussion >> >> Hi all, >> >> At the Oslo work week, we talked about some of the difficulties outside >> contributors have with reporting security issues in Firefox OS to >> Mozilla. My understanding is that there's one main contact at Mozilla, >> with a few people under him. There was a little confusion about that, >> but I believe that's what Chris Lee said when I asked. >> >> Since security is really important, we should try to come up with ways >> to make it easier for non-Mozilla people to know where to go with >> security issues.
There is an existing process for reporting security bugs at Mozilla, which applies to Firefox OS bugs as well: http://www.mozilla.org/security/ In summary: for all security issues send a mail to secur...@mozilla.org (Feel free to cc me for Firefox OS >> >> One thing that might help, and which is relatively simple, would be for >> each of the functional teams (Media Apps, Browser, etc) to have a >> designated security contact. They would keep up-to-date with the >> existing Firefox OS security group and also help direct security-related >> questions to the right people. This would be great. I requested this on the internal list several months ago (subject: 'Security engagement in a growing team') but did not get any response. From that email: - In other areas we follow a security champion model, where a representative from each team is nominated as a security rep. There are plenty of security conscious people in the various b2g teams, soI would like to create a group containing reps from each team. Then a mailing list so security (team) can reach out to these reps when needed, and vice versa. >> >> There are probably other things that would help, e.g. thinking about >> what kind of Bugzilla permissions we need to make things easier. Since >> many of Mozilla's partners are competitors, we'd need to be careful. I'm >> not entirely sure what we'd do here, since I don't currently have access >> to security-sensitive bugs in the first place, but maybe those who do >> would have ideas. What issue are we trying to solve here? Making security issues more visible to the various teams? If we had reps from each team, it may be appropriate to grant them access to the b2g security sensitive bugs flag which may help? >> >> We should also make sure that whatever the process is, it's >> well-documented and communicated to everyone, so that no one feels lost >> when reporting a security issue. Again see above. Basically the at its simplest, it means emailing secur...@mozilla.org for assistance, and we raise a secure bug on their behalf. Feel free to reach out to me directly (in my role as Security Manager for Firefox OS), but urgent issues should be reported to security@ to ensure that someone sees it asap. >> >> Obviously, feel free to suggest other things (including things I may >> have forgotten!) and/or add other people to the discussion who might >> have some good insights. Thanks for raising the profile of this issue - as the team grows, it becomes more and more infeasible to be across the entire project. Ultimately security is everyones responsibility, but it would be great to have elected reps in each team who are more responsible for security, to prevent the situation where everyone assumes that someone else is looking after it. -Paul >> >> - Jim >> > _______________________________________________ > dev-b2g mailing list > dev-b2g@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-b2g _______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g
