canmove, Confirmed users
640
edits
Security/Bug Approval Process: Difference between revisions
Jump to navigation
Jump to search
Updating process to use a bullet list to raise the profile of the important points
m (Convert examples into a bullet list so items don't get lost in a long sentence) |
(Updating process to use a bullet list to raise the profile of the important points) |
||
| Line 11: | Line 11: | ||
==Process== | ==Process== | ||
For security bugs with no sec- severity rating assume the worst and follow the rules for sec-critical. If you have experience fixing security bugs you could also take a crack at rating it yourself following the [[Security_Severity_Ratings]] | For security bugs with no sec- severity rating assume the worst and follow the rules for sec-critical. If you have experience fixing security bugs you could also take a crack at rating it yourself following the [[Security_Severity_Ratings]]. If you have any questions or are unsure about anything in this document contact us on IRC in the #security channel or ask a senior developer who has worked on a lot of security bugs. | ||
Core-security bug fixes should just be landed by a developer without any | Core-security bug fixes should just be landed by a developer without any | ||
explicit approval if: | explicit approval if: | ||
'''A)''' The bug has a sec-low, sec-moderate, sec-other, or sec-want rating.<br> '''<u>or</u>'''<br>'''B)''' The bug is a recent regression on mozilla-central. This means | |||
* A specific regressing check-in has been identified | |||
* The developer can ('''and has''') marked the status flags for ESR, Beta, and Aurora as "unaffected" | |||
* We have not shipped this vulnerability in anything other than a nightly build | |||
If it meets the above criteria, check that patch in. | If it meets the above criteria, check that patch in. | ||