• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [mcoates] Summit - book your travel <-aka submit to google form sent via email

  * https://docs.google.com/a/mozilla.com/forms/d/13RYSEuuIPf-atUUvwz_9VozcyOUQSxH5X3PCGubJ1p0/viewform?pli=1

• [mcoates] Team meetup - book your flight
• Remote Worker Guidelines
  • https://mana.mozilla.org/wiki/display/WPR/Remote+Worker+Guidelines
  • Etherpad for questions: https://security.etherpad.mozilla.org/RemoteWorkerGuidelines
• [ygjb] my team goals need to be updated :/
• [curtis / psinnon] Proposed verification changes
  • https://wiki.mozilla.org/Security/Web_Bug_Rotation#Proposed_enhancement_to_the_process
  • [question: track in meta bugs?] -> yes
  • [question: tools to start with?] -> Minion, ZAP (with zest)
• [curtis] Bug tags
  • risk ranking: steadily rising even with changes to process from SF work week where we got rid of number and went to Low/Med/High/Critical structure
    • https://wiki.mozilla.org/Security/RiskRatings#What_Scores_Mean
    • whiteboard tag [score:low], [score:med] [score:high], [score:crit] <- short-form? capitalization? (short forms should work fine and I don't think bugzilla cares about caps)
  • deadline: remains mostly parallel to new incoming bug rate
  • Could this work as a goal - ensure at end of each week all your bugs are scored? I think the problem here is there's the intent to do it but no accountability
  • Recommend a BROWNBAG where expectations for marking bugs are clearly set and questions are asked/answered
  • Action Item [Curtis] - Enhance documentation so a new person could properly complete without need to ask anyone else questions on the process. E.g step 1: do this, step 2: if X then do y...
• [yvan] Intro Jacob
• [yvan] Conferences
  • BlackHat
  • AppSecEU
  • AppSecUSA
• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdGVNXzUxZkJ0WHJPNG0wMDF3ODF6REE
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/
  • https://people.mozilla.com/~sarentz/p/dashboard
• Security Reports
• Upcoming PTO (do not put on wiki, DNT)
  • Stefan will be on PTO next week and then at a conference the week after - limited availability first week.
  • dchan - PTO Aug 8 / 9
  • [joes] - Jul 19
  • [cr] PTO Jul 19-23, Aug 5-9
  • [freddyb] PTO Jul 19,26 & Aug 2 (three Fridays)
  • [ulfr] PTO Jul 26

• [PT] - Need to figure out a new time for the Firefox OS meeting - Dooooodle http://www.doodle.com/2dz4fyztax9zvfyp#table

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

Planned Blog Posts

• https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q1:64 / Q2: 72

https://security-review-statistics.vcap.mozillalabs.com/weekly (12)

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

• [cr] Have a working SIM card read/write setup.

Firefox Core

• [cr] Florian Boehl (PhD cand. Cryptography) might volunteer-help with writing PRNG tests. Interesting enough to push this? (Let's not be the next Cryptocat / Debian.)

MarketPlace

• [cr] bi-weekly meeting between Marketplace and Security initiated

Web Apps

Services

Operation Security