THIS PAGE COVERS THE OLD PROCESS. THE CURRENT PROCESS (AS OF 2019) CAN BE FOUND at Security/Reviews/

Process

Schedule

• Security Review Calendar (.ics)
  
• Security Review Calendar (HTML)
• Security Review Template
• Completed Secreviews

The Security Review calendar is currently shared publicly for viewing. Those with higher rights must edit the calendar using zimbra. The calendar is shared via zimbra sharing and a standard welcome message:

Note: The standard message displays your name, the name of the shared item, permissions 
granted to the  recipients, and login information, if necessary. 

To edit a calendar event

• Double click event in Zimbra like you would any other event
  • if the event asks if you want to edit the instance or the series you will in general only want the single instance
• Edit the instance as needed and send then send (not save)

To Add a new event

• Create a new event just like you would on your own calendar
• Under the "Calendar" pull down select "Security Review"
• When done with all the details click send

IRC Channel

Unless otherwise noted on the agenda for a review the IRC channel for reviews shall be #security.

Performing a Security Review

You can find documentation on how security reviews are performed, including the steps we take, and what documentation we expect to produce in the course of the security review at Security Review Processes.

Scheduling a Review

Please use the instructions on this wiki: https://wiki.mozilla.org/Security/Reviews/Review_Request_Form

Design Review

All features regardless of size should have a design review. These should occur before any code is landed to Mozilla Central (MC), the goal is to find architectural flaws that may result in serious security issues. When a feature page is created a security contact should be specified for the feature to ensue the smoothest integration for security input and reviews. If you find you are missing such a contact please email secteam at mozilla dot com to have one assigned. The level of work required for design reviews will vary depending on such factors as complexity of the feature, changes to known fragile code, and/or features that alter the security posture of the product or of Mozilla as a whole. Design reviews may be followed up with implementation reviews, fuzz testing, outside code review or other security tasks as deemed necessary to ensure the safety and security of our users.

Implementation Review

Just as it sounds this is a review of a patch and its corresponding implementation prior to that patch landing in a widely use branches (MC, Aurora, Beta, etc). Not all patches will require a security review, however, if a patch is deemed to need a security review and one is not completed that patch may be backed out until such a review is completed. Patch owners will most often be contacted by the security team for such a review, however, we encourage patch authors to be proactive and contact secteam when they are in doubt or feel a security review would be beneficial.

Tracking Features for Review

Current features are being track for review here: https://wiki.mozilla.org/Security/Radar

Firefox

Review archive

With the change to wikimedia search capable feature pages review archives will not be maintained in this format. Please use: Security Radar Complete

• about:telemetry
• Firefox 8
• Firefox 7
• Firefox 6
• Firefox 5
• Firefox4.next
• Firefox 4.0 Security Reviews
• Firefox 3.6 Security Reviews
• Firefox 3.5 Security Reviews

Mozilla Apps Project

• "0.9" Overview and references

BrowserID

Browser ID Security Review link

AppStore

AppStore Security Review link

DevTools

Responsive Mode Security Review link

SocialAPI

SocialAPI Security Review link

Template

Empty template to use for creating a new SecReview page link