On Tue, May 13, 2025 at 9:03 AM Gijs Kruitbosch <[email protected]> wrote:
> When the advisory is published, is the information needed to write the > description publicly available? I.e., is the "reference to the bug on > bugzilla" -- a link to the bug, I assume -- open so that a motivated > individual could plausibly produce the description themselves? > > No. Advisories are published around the time the release goes out, and > bugs (which typically contain a lot more detail about the specifics of the > issue and the fix) are not opened up until users have broadly updated to > builds containing the fix for the security issue. This is to avoid exposing > users that are still on older builds to exploitation. > Thanks for clarifying, Gijs. So: there is less information published, and a justification for that reduction based on the effort involved. Fine by me! Nick > ~ Gijs > On 13/05/2025 16:34, 'Nick Alexander' via [email protected] wrote: > > Hello sec team! > > On Tue, May 13, 2025 at 5:44 AM 'Frederik Braun' via > [email protected] <[email protected]> wrote: > >> Hi all, >> >> For those who don't know, we publish detailed security advisories >> <https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/> >> for every new Firefox release. >> A typical advisory lists 10 to 20 security issues with a title, their >> severity, the reporter and a description. Writing these advisories is a >> cumbersome, manual process that takes too much time. >> >> We believe that this is not time well spent. >> We don't believe that people should make their decisions whether to >> update Firefox based on the individual CVEs that were fixed in a specific >> release. As an evergreen product in a connected world, Firefox is only kept >> secure if full browser updates are applied as soon as possible and not >> weighed on the little information that we can include in our description. >> People that *do* need more information and are building software >> downstream of our source code may be nominated for our security group >> <https://www.mozilla.org/en-US/about/governance/policies/security-group/membership/>. >> This group gets insights into the actual bugs and their fixes ahead of >> release. >> We will continue to make security bugs public once they have been fixed >> and when a significant portion of our users had the chance to apply an >> update. This typically happens a couple of months after the specific >> release. >> >> As a result of these considerations, we would like to switch our security >> advisory format to a simpler template that contains less details. We intend >> to keep the following information: CVE-ID, Severity, Reporter, Title, >> Component and a reference to the bug on bugzilla. >> > > I am not so familiar with our sec process details. When the advisory is > published, is the information needed to write the description publicly > available? I.e., is the "reference to the bug on bugzilla" -- a link to > the bug, I assume -- open so that a motivated individual could plausibly > produce the description themselves? > > Thanks! > Nick > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/firefox-dev/CAMnWBR0xEiorAnFGo6-Op3BZPdxMLxBvsZqmJfeTnuw_yxwLjQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/firefox-dev/CAMnWBR0xEiorAnFGo6-Op3BZPdxMLxBvsZqmJfeTnuw_yxwLjQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAMnWBR0Qem%2BrVE%2BypSg8FTtKfQjzqZmexJYCTf7oJo40jyYNcw%40mail.gmail.com.
