On 02/11/2016 01:28 AM, Al Billings wrote:
We do our best to triage all new security bugs in a timely fashion.
These bugs were no exception. They were assigned a sec-moderate rating
as they present a limited risk and were added to our bug-fix queue.
Thanks for these explanations but I am sorry to disagree.
You only added the sec-moderate rating (which I do not share for reasons
I will give in the bugs to not disclose bug details here) on February 5,
2016 without any further explanation and without even reproducing the
bug. I do not see how you can assign a definite severity rating without
even reproducing and confirming a bug (and these bugs can be reproduced
within 1 minute!).
Apart from that, these bugs were thus 75 days without a security
severity rating and in UNCONFIRMED status. So, it is a "timely fashion"
and "no exception" to let new security bugs stay untriaged for 75 days?
Mozilla has limited engineering resources, and we use these security
ratings to guide which bugs we work on. The queue of sec-moderate bugs
is always being worked on, and unfortunately, we just haven’t gotten to
these yet.
Again, I am sorry but I think, even for sec-moderate bugs (which can be,
e.g., something like "Disclosure of entire browsing history"), working
on security bugs *as time permits* (and not by setting target dates or
target versions) is the very definition of "treating security as
optional". I do not suggest that all bugs have to be fixed instantly (or
the fix being merged into mozilla-beta or mozilla-aurora) but you have
to set yourself a goal which cannot only be based upon available
resources. With Mozilla engaging into Connected Devices, will it soon
be: "Sorry, your smartwatch does disclose your location history to web
pages, we will fix that as soon as we have enough resources."?
Additionally, this is not really about fixing but but mainly about
confirming private bugs. The whole idea of reporting bugs privately to
vendors is that you share the bug with as few people as possible. This
makes it impossible to discuss the bug publicly or lobby people to look
at it (or, e.g., vote on it). The responsibility of the vendor is, thus,
to at least react to reported bugs (this is true for every information
shared via secur...@mozilla.org) and confirm them as soon as possible. I
did not find any metrics on this by a quick search, but I think 75 days
to confirm a bug should not even be something you aim for for a public bug!
Best regards,
Rafael
_______________________________________________
governance mailing list
governance@lists.mozilla.org
https://lists.mozilla.org/listinfo/governance
