Hello, The Mozilla Security Team is planning on turning on Secure Mail for "Security-Sensitive Core Bug" group bugs in the near term on bugzilla.mozilla.org. This has been previously turned on and tested for web and infrastructure security bugs during the past six months.
I've put together a short guidance page for this at https://wiki.mozilla.org/Security/Security_Bugs/EncryptedBugmail. We wanted to inform people of the current plan to avoid surprises. For most people, the effects of this will be minimal. If you're CC'd on a core security bug and have not set an encryption key, your email notice on bug changes *for that security bug only* will state that the bug has changed with a link to it and no other information. If you set a key, you will receive an encrypted copy of the normal bugzilla email with details. For those actually in the "Security-Sensitive Core Bug" group, they will need to set a key in order to reset their own passwords (because of the reset URL being sent). If no key is set, email will need to be sent to bugzilla-admin in order to change passwords. This won't affect the vast majority of folks. This is part of an overall goal to decrease the risk of accidental exposure of security bugs to hostile third parties. Al Billings Program Manager, Mozilla Security _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
