130
edits
Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions
Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)
Revision as of 15:36, 22 September 2020
, 22 September 2020→Assign CVEs
(→Process: do CVEs earlier, to give distributors a smoother process.) |
|||
| Line 67: | Line 67: | ||
The CVE ID is unique per bug except for the internal roll-up advisories, which use one CVE ID for a list of bugs. (The CVE assignment process can be complicated because Mitre imposes many rules on CVE assignment and requires communication back in specified data formats when CVEs are assigned. Failure to follow this process can result in Mitre refusing to hand out additional CVE IDs for use.) | The CVE ID is unique per bug except for the internal roll-up advisories, which use one CVE ID for a list of bugs. (The CVE assignment process can be complicated because Mitre imposes many rules on CVE assignment and requires communication back in specified data formats when CVEs are assigned. Failure to follow this process can result in Mitre refusing to hand out additional CVE IDs for use.) | ||
==== Oh no, I don't have enough CVEs! ==== | |||
That's alright. Assign the issue an id of MFSA-TMP-YEAR-#### where # is a unique incrementing number. Everything will work fine. Later when we have the CVE, go back and assign it. | |||
[https://github.com/mozilla/foundation-security-advisories/commit/3114d01de2f27cdb606d8d07603c2362515104f1 Here's an example of what it looks like.] | |||
n.b. While that example used MFSA-YEAR-####, that format is actually used for the advisories themselves (so MFSA-2020-0001 was accidentally used to refer both to an individual issue pending a CVE and to all advisories for Firefox 71.) So I'm suggesting the MFSA-TMP prefix to distinguish. We also previously the MFSA-YEAR-# format for individual issues from 2005ish - 2016. | |||
=== Get review === | === Get review === | ||