• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [Yvan] Security Champions - Started discussing the formation of the program with teams
  • Webdev & Foundation covered, will expand to other teams in the next few weeks
  • Plan to address MoFo meeting and invite volunteers to help shape the program
  • https://wiki.mozilla.org/Security/Champions
• [Michael] Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
• Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
• [Michael] Group meetings - when/where
  • Client fuzzing team - Every other Tuesday at 1pm (including 2012-10-23 & 1 or 2 prior)
  • WebSecTools (Minion, garmr, zap) - Weds 4pm (UK) 8AM (PST) Simons Vidyo room
  • OpSec Team Meeting - Monday 8AM
  • Community Security Program - will plan this one out (curtisk)
    • interns from BCIT - 2 interns for 200 hrs each, including mentorship with Yvan
    • Jesse to give talk in Vancouver in March
  • [b2g meetings] - what do people want/need ? (regular, or just 'getting started' workshop?)
    • existing status meeting- Tue 5 PM PST in B2G room
    • existing gaia meeting- Tue 9am PST in B2G room
  • others?
• [gkw & Jesse] Partially joining in the JS Spidermonkey work week in MV this week (we represent decoder too)
• [psiinon] any dates for Feb meeting yet?
  • Late Feb
• Does the MoCo Engineering re-org affect us? (e.g. Johnath's promotion)
• Layout & Graphics team week soon in Vancouver - Nov 12 - https://intranet.mozilla.org/Layout_Graphics_Video_-_Work_Week_-_November_2012
  • [Jesse] Aww, I wasn't invited?
• [raymond] Creating a database/statistics about bug bounties. (Which components, etc)
  • [Jesse] This seems kind of redundant with the metrics project about security bugs

Upcoming Speaking Engagements

• SkyDogCon - http://www.skydogcon.com/ (Nov 26-28)
  • Curtisk - http://www.skydogcon.com/index.php?id=curtis-koenig-insanely-great
• AppSecUSA - october 2
  • Yvan
  • Michael
• OWASP German Day - Simon (Nov 7)
• OWASP AppSec Workshop (Limerick, Ireland - Nov 9th)

Security Review Status (koenig)

• Completed in Q3 2012: 56
• Number of Reviews Completed (so far this quarter):15(9)
  • https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2012-12-31;query_format=advanced;chfield=resolution;chfieldfrom=2012-09-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Number of Outstanding Reviews: 144 (149)
  • https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
• Number of reviews without risk rating27 (29)
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
  • Yours
• Number of reviews without deadline set 134 (140)
  • https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
  • Yours

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

• testing on b2g still broken
  • we may move forward on testing APIs on desktop until b2g is fixed

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

• had secreview for private browsing yesterday - Stefan and I will be working on this
• Need secvreviews for Java APIs for addons - will be working on this over the next week?

Sync (Simon Bennetts)

Sync 2.0 implementations to start in Jan

Services (Simon Bennetts & Adam Muntner)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• No update from choller
• This week is a JS team week in Mountain View. gkw and Jesse are hanging out with them a bit.
  • Good discussions about removing crud: https://bugzilla.mozilla.org/show_bug.cgi?id=804492 and https://bugzilla.mozilla.org/show_bug.cgi?id=638054

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• ateam having a work week in Toronto this week

Web Developer Tools (Mark Goodwin)

• Working with devtools on a plan for non-priv UI for devtools.

Networking (Christoph Diehl)

• WebRTC
  • We have now fuzzing support for JSEP and SDP, next step TURN and STUN (not yet enabled in the code).
  • WebRTC shall be pref'ed on by default asap; probably within the next month.
  • Henrik is updating the repository with crash-tests

Graphics (Christoph Diehl) =

• Gfx team wants to re-test QCMSv4
• Graphite2 shortly before getting pref-ed on by default.

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

• No updates

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

• One more xpcshell bug on try fixed on the way to green try