Major Projects

• Apps / Appstore
• BrowserID
• Silent Updates
  • Code Signing - https://mana.mozilla.org/wiki/display/INFRASEC/Code+Signing+Security
• HSM Updates

SecGroup Co-ordination

• curtisk & yvan

Security content on MDN

• curtisk to sched something with mcoates & sheppy

CTF

• [freddy] hosting a CTF competition
• end of Jan
• meeting tomorrow at 2pm PST to start organizing
• custom software with custom vulns - not on the live sites

Facebook / Twitter Button -- Privacy

• can not use built-in buttons in a way that is compliant with Moz privacy policies
  • this is because tracking is done with these buttons
• building modified buttons that send nothing until a user clicks
• working on content for how to use these in a privacy protecting fashion

- https://bugzilla.mozilla.org/show_bug.cgi?id=701759

Where are infra-security reviews scheduled

• https://wiki.mozilla.org/WebAppSec/Security_Review_Request
• https://mana.mozilla.org/wiki/display/INFRASEC/AppSec+Review+Schedule
• current whiteboard tags [pending secreview][in-progress secreview]
• Bigger projects
• https://wiki.mozilla.org/Security/Reviews/Identity/browserid
  • Add bigger meetings to calendar - kickoff, brownbag

DirectlyResponsibleIndividual

• someone who is the contact point for cross-over projects
  • can engage other people/resources as needed
• reduce the number of people from joint teams attending meetings
• people need to discuss and self-assign

changing keyword tags (legneato proposal)

• https://bugzilla.mozilla.org/show_bug.cgi?id=696898

1. security/plat/review/needed ... /complete
2. security/infra//review/needed .../complete

Proposal

1. (namespace)/..../(leafnode keyword)

Examples:

1. relman/triage/needs-info
2. relman/triage/defer-to-group

• we really need a good way for people to make a request and for us to figure out rather they know before hand
  • the more they have to know to engage us, the less likely they are to do it