Hello sec team! On Tue, May 13, 2025 at 5:44 AM 'Frederik Braun' via [email protected] <[email protected]> wrote:
> Hi all, > > For those who don't know, we publish detailed security advisories > <https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/> > for every new Firefox release. > A typical advisory lists 10 to 20 security issues with a title, their > severity, the reporter and a description. Writing these advisories is a > cumbersome, manual process that takes too much time. > > We believe that this is not time well spent. > We don't believe that people should make their decisions whether to update > Firefox based on the individual CVEs that were fixed in a specific release. > As an evergreen product in a connected world, Firefox is only kept secure > if full browser updates are applied as soon as possible and not weighed on > the little information that we can include in our description. > People that *do* need more information and are building software > downstream of our source code may be nominated for our security group > <https://www.mozilla.org/en-US/about/governance/policies/security-group/membership/>. > This group gets insights into the actual bugs and their fixes ahead of > release. > We will continue to make security bugs public once they have been fixed > and when a significant portion of our users had the chance to apply an > update. This typically happens a couple of months after the specific > release. > > As a result of these considerations, we would like to switch our security > advisory format to a simpler template that contains less details. We intend > to keep the following information: CVE-ID, Severity, Reporter, Title, > Component and a reference to the bug on bugzilla. > I am not so familiar with our sec process details. When the advisory is published, is the information needed to write the description publicly available? I.e., is the "reference to the bug on bugzilla" -- a link to the bug, I assume -- open so that a motivated individual could plausibly produce the description themselves? Thanks! Nick -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAMnWBR0xEiorAnFGo6-Op3BZPdxMLxBvsZqmJfeTnuw_yxwLjQ%40mail.gmail.com.
