Hi all, For those who don't know, we publish detailed security advisories <https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/> for every new Firefox release. A typical advisory lists 10 to 20 security issues with a title, their severity, the reporter and a description. Writing these advisories is a cumbersome, manual process that takes too much time.
We believe that this is not time well spent. We don't believe that people should make their decisions whether to update Firefox based on the individual CVEs that were fixed in a specific release. As an evergreen product in a connected world, Firefox is only kept secure if full browser updates are applied as soon as possible and not weighed on the little information that we can include in our description. People that *do* need more information and are building software downstream of our source code may be nominated for our security group <https://www.mozilla.org/en-US/about/governance/policies/security-group/membership/>. This group gets insights into the actual bugs and their fixes ahead of release. We will continue to make security bugs public once they have been fixed and when a significant portion of our users had the chance to apply an update. This typically happens a couple of months after the specific release. As a result of these considerations, we would like to switch our security advisory format to a simpler template that contains less details. We intend to keep the following information: CVE-ID, Severity, Reporter, Title, Component and a reference to the bug on bugzilla. We do not plan to implement these changes right away and want to gather feedback before doing so. If you are someone who relies on the information that we currently provide, please reply to this thread on dev-platform. If the details are very sensitive, feel free to send to [email protected] instead. Thank you, Frederik Braun on behalf of the Firefox Application Security Team -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAE5OA1XcEiXGZs2YWiyLBcxoWnrer_X1VGdk2d%3DHcHFWOh-mUA%40mail.gmail.com.
