Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions

Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)

183 bytes added , 5 December 2025

Small improvements

14

edits

@@ Line 25: / Line 25: @@
 ===== Friday =====
 # Send a mail with the YAML files to the security group (security-group@), to get further review
+===== Day Before Release (usually Monday) =====
 # Set up CVE and Bugzilla credentials, (maybe try <code>DRY_RUN=1</code>)
 # Run <code>assign_cve_ids</code>, this should reserve IDs and set the alias of each bug in Bugzilla to its CVE ID
-# Make a release manager accept the PR.
+# Make a release manager accept the PR. See [[#Assign_CVEs]] for more.
 # Review the Thunderbird PR and make sure it gets merged.
 ===== Release Day (usually Tuesday) =====
+# Make sure there are no last minute uplifts or other changes. If there are repeat the necessary steps.
 # When the actual release happens, make sure a release manager also merges it into the public repo at https://github.com/mozilla/foundation-security-advisories. At that point a GHA should populate the CVEs with the actual data from the YAML files.
 # Make sure the CVEs show up at https://www.mozilla.org/en-US/security/advisories/