Security Severity Ratings/Merge
Security bugs are rated by specifying "sec-<rating>" in the "Keyword" field in bugzilla. For example, a bug with a Critical security rating would be marked as "sec-critical".
Severity Ratings
Examples:
Examples:
Examples:
Examples:
If there are mitigating circumstances that severely reduce the effectiveness of the exploit, then the exploit could be reduced by one level of severity. Examples of mitigating circumstances include difficulty in reproducing due to very specific timing or load order requirements, complex or unusual set of actions the user would have to take beyond normal browsing behaviors, or unusual software configuration. As a rough guide, to be considered for reduction in severity an exploit should execute successfully less than 10% of the time. If measures can be taken to improve the reliability of the exploit to over 10% (by combining it with other existing bugs or techniques), then it should not be considered to be mitigated. |
Additional Security Status Codes
If a potential security issue has not yet been assigned a severity rating, or a rating is not appropriate, the whiteboard may instead contain one of the following security status codes.
| Code | Description | Examples |
|---|---|---|
| sg:needsinfo | Information contained within the bug is incomplete, and additional information from the original submitter is required to confirm the bug. | Ambiguous or incomplete bug description.
Inconsistency in reproducing the issue |
| sg:nse | Bugs that may not be exploitable security issues but are kept confidential to protect sensitive information. | Bugs that contain sensitive information about the bug submitter or another user
Bugs that are related to security issues currently unfixed in Mozilla products or other products |
| sg:audit | Bug requires a code audit to investigate potential security problems. | Look for pattern x in library y
Audit file z for string buffer abuse. |
| sg:vector-X | Flaws in software not controlled by (shipped with) Firefox, but that can cause security problems for people browsing with Firefox. | Bugs in plugins
Bugs in system libraries used by Firefox |
| sg:want | New features or improvement ideas related to security | User interface refinements
Support for new types of authentication Code refactoring / cleanup |
|colspan="3" style="text-align:center"|Bugzilla Codes |- |sec-review-needed |A security review is needed for the bug, this could mean a variety of things. If there is no secr:<username> in the whiteboard the item has not been triaged and action is unknown. Once triaged a note will be placed in the bug as to the action to be taken | |- |sec-review-complete |The security review / actions desired have been completed. This will result in either a link to the notes from security actions or a note from the assigned resource in the bug. | |- |sg:assigned:UserAlias |This designates the assigned security resource that is accountable for actions to be taken on the designated item. When possible the bug will be assigned to the security contact for action. This will be used when that is not possible or practical. |[sg:assigned:curtisk] indicates that curtisk is the accountable party for action |- |colspan="3" style="text-align:center"|Feature Page Codes |- |- |sec-review-needed |A security review is needed for the feature, this could mean a variety of things. If there is no <username> in the notes then a full review needs to be scheduled, if a <username> is present than that person will follow-up with the feature team on whatever task is needed. | |- |sec-review-complete |The security review / actions desired have been completed. This will result in a link to the notes from security actions or a note from the assigned resource. | |- |sec-review-active | There are active tasks associated with the review that are yet to be completed in order for the review to be seen as completed. These will be captured in the "Action Items" section of the review notes. | |- |sec-review-sched | Security review tasks have been scheduled, if this is a full security review the date of the scheduled review will be present in the security notes. | |- |sec-review-unnecessary | After triage it was felt the feature needed no review or security actions. | |- | Security health: <blank> | There are no notes or status is unknown. | Color: <None> |- | Security health: OK | The tasks are on schedule or completed and are considered non-blocking. | style="background:#9D9;" | Color: Green |- | Security health: Blocked | Some aspect of the security review has given cause to block the feature from further work or landing. The reasons will be listed in the security notes or linked to a larger review outcome for follow-up. | style="background:#FFA;" | Color: Yellow |- | Security health: At Risk | Some aspect of the security review may cause the feature to be blocked or put the feature at risk of being off schedule.The reasons will be listed in the security notes or linked to a larger review outcome for follow-up. | style="background:#F99;" | Color: Red |- | Security health: Assigned | Security tasks have been assigned to a member of the team to followup. The name of this resource will be in the security notes. | style="background:#9ff;" | Color: Teal |- |}