From MozillaWiki
Jump to: navigation, search

Prioritizing security features

  • Concern that we're falling behind Chrome and even IE on some security features
    • See Brandon's email to security-group (private list) for details on the concern
    • Fixing and blogging would be good PR in addition to protecting users and sites
  • "EverythingElseSmash": prioritization & getting help from the platform team
  • Brandon & Ian will be triaging the long list of sg:low and sg:want bugs next week
  • Should also ensure we have bugs on the security features that the Chrome & IE teams have been blogging about.
  • Grouping a set of related bugs into a project / feature page / metabug can help get people interested

Security roadmap changes

Black Hat

  • [chofmann] Hotel updates
    • Caesars extensions (e.g. for people staying for DEFCON) done
    • Caesars out of rooms, so late signups will be staying somewhere else (Flamingo?)
  • Attendees, please update
    • Party signups
    • Talk signups. Let's indicate which talks we're going to.
    • Dinner signups
  • What should we discuss with PR beforehand?
    • Always ok to say "I don't know, I'll get back to you"
    • JIT compiler talk
    • SSL controversies (cert ui, dnssec, protocol holes)
    • Schedule a meeting? Start an email thread with BH attendees and PR team?

Anti-tampering: user.js

Writing for the security blog

  • Information about team members
    • How to find us at Black Hat & DEF CON
    • Find us on irc in #security and #fuzzing
  • Security features, EverythingElseSmash, Roadmap
    • Help us prioritize
    • Help us fix
  • Help us figure out web compatibility impact of feature X we're contemplating. (Short posts are okay!)
  • Success of CritSmash? Maybe not.
  • What RapidRelease means for security
    • We can get security features into Firefox faster
    • Improves testing of fixes for security bugs, but constrains secrecy.
  • Recent changes to the sec-review process. (Curtis will write this.)
    • Examples of successes (e.g. finding problems in CSS transitions implementation and in the ServerSentEvent spec)
    • Bugzilla keywords
    • How to subscribe to the calendar and dial in to meetings you're interested in
    • How we pick out features that need security reviews (when developers and product managers don't come to us)
    • When we hold meetings and when we just have one person poke at it
  • Bug bounty winners. (Dan and Chofmann will write this.)
    • So far most bounty winners have said they're cool with us mentioning their names in public

XSS filter update (Riccardo)

  • Will schedule security review

DNSSEC update (David Keeler)