When the advisory is published, is the information needed to write the
description publicly available? I.e., is the "reference to the bug on
bugzilla" -- a link to the bug, I assume -- open so that a motivated
individual could plausibly produce the description themselves?
No. Advisories are published around the time the release goes out, and
bugs (which typically contain a lot more detail about the specifics of
the issue and the fix) are not opened up until users have broadly
updated to builds containing the fix for the security issue. This is to
avoid exposing users that are still on older builds to exploitation.
~ Gijs
On 13/05/2025 16:34, 'Nick Alexander' via [email protected] wrote:
Hello sec team!
On Tue, May 13, 2025 at 5:44 AM 'Frederik Braun' via
[email protected] <[email protected]> wrote:
Hi all,
For those who don't know, we publish detailed security advisories
<https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/>
for every new Firefox release.
A typical advisory lists 10 to 20 security issues with a title,
their severity, the reporter and a description. Writing these
advisories is a cumbersome, manual process that takes too much time.
We believe that this is not time well spent.
We don't believe that people should make their decisions whether
to update Firefox based on the individual CVEs that were fixed in
a specific release. As an evergreen product in a connected world,
Firefox is only kept secure if full browser updates are applied as
soon as possible and not weighed on the little information that we
can include in our description.
People that /do/ need more information and are building software
downstream of our source code may be nominated for our security
group
<https://www.mozilla.org/en-US/about/governance/policies/security-group/membership/>.
This group gets insights into the actual bugs and their fixes
ahead of release.
We will continue to make security bugs public once they have been
fixed and when a significant portion of our users had the chance
to apply an update. This typically happens a couple of months
after the specific release.
As a result of these considerations, we would like to switch our
security advisory format to a simpler template that contains less
details. We intend to keep the following information: CVE-ID,
Severity, Reporter, Title, Component and a reference to the bug on
bugzilla.
I am not so familiar with our sec process details. When the advisory
is published, is the information needed to write the description
publicly available? I.e., is the "reference to the bug on bugzilla"
-- a link to the bug, I assume -- open so that a motivated individual
could plausibly produce the description themselves?
Thanks!
Nick
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/firefox-dev/CAMnWBR0xEiorAnFGo6-Op3BZPdxMLxBvsZqmJfeTnuw_yxwLjQ%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/firefox-dev/CAMnWBR0xEiorAnFGo6-Op3BZPdxMLxBvsZqmJfeTnuw_yxwLjQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/8e0239b6-84a7-4cb9-96a0-fc99b52cbd0f%40gmail.com.
