Security/Archived/Reviews/
THIS PAGE COVERS THE OLD PROCESS. THE CURRENT PROCESS (AS OF 2019) CAN BE FOUND at Security/Reviews/
Contents
Process
Schedule
- Security Review Calendar (.ics)
- Security Review Calendar (HTML)
- Security Review Template
- Completed Secreviews
The Security Review calendar is currently shared publicly for viewing. Those with higher rights must edit the calendar using zimbra. The calendar is shared via zimbra sharing and a standard welcome message:
Note: The standard message displays your name, the name of the shared item, permissions granted to the recipients, and login information, if necessary.
To edit a calendar event
- Double click event in Zimbra like you would any other event
- if the event asks if you want to edit the instance or the series you will in general only want the single instance
- Edit the instance as needed and send then send (not save)
To Add a new event
- Create a new event just like you would on your own calendar
- Under the "Calendar" pull down select "Security Review"
- When done with all the details click send
IRC Channel
Unless otherwise noted on the agenda for a review the IRC channel for reviews shall be #security.
Performing a Security Review
You can find documentation on how security reviews are performed, including the steps we take, and what documentation we expect to produce in the course of the security review at Security Review Processes.
Scheduling a Review
Please use the instructions on this wiki: https://wiki.mozilla.org/Security/Reviews/Review_Request_Form
Design Review
All features regardless of size should have a design review. These should occur before any code is landed to Mozilla Central (MC), the goal is to find architectural flaws that may result in serious security issues. When a feature page is created a security contact should be specified for the feature to ensue the smoothest integration for security input and reviews. If you find you are missing such a contact please email secteam at mozilla dot com to have one assigned. The level of work required for design reviews will vary depending on such factors as complexity of the feature, changes to known fragile code, and/or features that alter the security posture of the product or of Mozilla as a whole. Design reviews may be followed up with implementation reviews, fuzz testing, outside code review or other security tasks as deemed necessary to ensure the safety and security of our users.
Implementation Review
Just as it sounds this is a review of a patch and its corresponding implementation prior to that patch landing in a widely use branches (MC, Aurora, Beta, etc). Not all patches will require a security review, however, if a patch is deemed to need a security review and one is not completed that patch may be backed out until such a review is completed. Patch owners will most often be contacted by the security team for such a review, however, we encourage patch authors to be proactive and contact secteam when they are in doubt or feel a security review would be beneficial.
Tracking Features for Review
Current features are being track for review here: https://wiki.mozilla.org/Security/Radar
Firefox
- Review archive
With the change to wikimedia search capable feature pages review archives will not be maintained in this format. Please use: Security Radar Complete
- about:telemetry
- Firefox 8
- Firefox 7
- Firefox 6
- Firefox 5
- Firefox4.next
- Firefox 4.0 Security Reviews
- Firefox 3.6 Security Reviews
- Firefox 3.5 Security Reviews
Mozilla Apps Project
BrowserID
Browser ID Security Review link
AppStore
AppStore Security Review link
DevTools
Responsive Mode Security Review link
SocialAPI
SocialAPI Security Review link
Template
Empty template to use for creating a new SecReview page link