Prioritizing security features
- Concern that we're falling behind Chrome and even IE on some security features
- See Brandon's email to security-group (private list) for details on the concern
- Fixing and blogging would be good PR in addition to protecting users and sites
- "EverythingElseSmash": prioritization & getting help from the platform team
- Brandon & Ian will be triaging the long list of sg:low and sg:want bugs next week
- Should also ensure we have bugs on the security features that the Chrome & IE teams have been blogging about.
- Grouping a set of related bugs into a project / feature page / metabug can help get people interested
Security roadmap changes
- [chofmann] Hotel updates
- Caesars extensions (e.g. for people staying for DEFCON) done
- Caesars out of rooms, so late signups will be staying somewhere else (Flamingo?)
- Attendees, please update https://intranet.mozilla.org/ConferencesSchedule/Blackhat2011
- Party signups
- Talk signups. Let's indicate which talks we're going to.
- Dinner signups
- What should we discuss with PR beforehand?
- Always ok to say "I don't know, I'll get back to you"
- JIT compiler talk
- SSL controversies (cert ui, dnssec, protocol holes)
- Schedule a meeting? Start an email thread with BH attendees and PR team?
Writing for the security blog
- Information about team members
- How to find us at Black Hat & DEF CON
- Find us on irc in #security and #fuzzing
- Security features, EverythingElseSmash, Roadmap
- Help us prioritize
- Help us fix
- Help us figure out web compatibility impact of feature X we're contemplating. (Short posts are okay!)
- Success of CritSmash? Maybe not.
- What RapidRelease means for security
- We can get security features into Firefox faster
- Improves testing of fixes for security bugs, but constrains secrecy.
- Recent changes to the sec-review process. (Curtis will write this.)
- Examples of successes (e.g. finding problems in CSS transitions implementation and in the ServerSentEvent spec)
- Bugzilla keywords
- How to subscribe to the calendar and dial in to meetings you're interested in
- How we pick out features that need security reviews (when developers and product managers don't come to us)
- When we hold meetings and when we just have one person poke at it
- Bug bounty winners. (Dan and Chofmann will write this.)
- So far most bounty winners have said they're cool with us mentioning their names in public
XSS filter update (Riccardo)
- Will schedule security review
DNSSEC update (David Keeler)