Closed
Bug 839188
Opened 11 years ago
Closed 11 years ago
Add John Karahalis and Ali Spivak to group "Security-Sensitive Websites"
Categories
(bugzilla.mozilla.org :: Administration, task)
Tracking
()
RESOLVED
FIXED
People
(Reporter: openjck, Assigned: reed)
Details
Please add me (jkarahalis@mozilla.com) and my manager Ali (aspivak@mozilla.com) to the "Security-Sensitive Websites" group so that we can see security-sensitive bugs filed against MDN by default. In fact, I wonder if it would make sense to open this permission to all Mozilla employees. We are not going to exploit our own products, and the risk of making bugs invisible to the people who could fix them (e.g., me, Ali, and the people on my team) might outweigh the risk of opening security-sensitive bugs up to anyone in the company. Just my two cents.
Comment 1•11 years ago
|
||
Adding dveditz and mcoates to bug cc as they are admins for the group and will approve the change. dkl
Reporter | ||
Comment 2•11 years ago
|
||
Friendly ping. Any updates?
Assignee | ||
Comment 3•11 years ago
|
||
(In reply to John Karahalis [:openjck] from comment #0) > Please add me (jkarahalis@mozilla.com) and my manager Ali > (aspivak@mozilla.com) to the "Security-Sensitive Websites" group so that we > can see security-sensitive bugs filed against MDN by default. Added. > In fact, I wonder if it would make sense to open this permission to all > Mozilla employees. We are not going to exploit our own products, and the > risk of making bugs invisible to the people who could fix them (e.g., me, > Ali, and the people on my team) might outweigh the risk of opening > security-sensitive bugs up to anyone in the company. Just my two cents. Sorry, not going to happen. Risks are just too high, especially considering the critical severity of some bugs. In fact, on the main security group, we're working on cutting down the number of people who can see security bugs. Too many potential problems.
Assignee: nobody → reed
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 4•11 years ago
|
||
I understand. I still feel that Bugzilla could handle this better, though. Our team recently discovered 10+ active, weeks-old security flaws on MDN. If we had only known about them, we could have fixed them and protected our users from harm sooner. I see that making security-sensitive bugs available to all Mozilla employees might not be the best approach, but perhaps Bugzilla could do something else, something that better balances making these bugs available to the right people without exposing them to the wrong people.
Comment 5•11 years ago
|
||
(In reply to John Karahalis [:openjck] from comment #4) We're working on this exact issue. We want to identify key individuals from each team and ensure they have proper visibility into security bugs specific to their areas. I added Yvan to this bug. He's a good person to follow up with via email to discuss suggested enhancements from a workflow perspective.
Comment 6•11 years ago
|
||
(In reply to Michael Coates [:mcoates] from comment #5) > (In reply to John Karahalis [:openjck] from comment #4) > > We're working on this exact issue. We want to identify key individuals from > each team and ensure they have proper visibility into security bugs specific > to their areas. I added Yvan to this bug. He's a good person to follow up > with via email to discuss suggested enhancements from a workflow perspective. We could extend the WebService code to allow updating of user's permissions and you could use some script on your end to periodically make sure that people have the right permissions. There is bug 469196 about this upstream but no patch that I can see yet. dkl
Comment 7•10 years ago
|
||
Re-ping on this ... :yvan - is there a way to add all MDN dev staffers to a group that can see all security bugs in the Mozilla Developer Network product on bugzilla?
Flags: needinfo?(yboily)
Updated•2 years ago
|
Flags: needinfo?(yvanboily+mozbugmail)
You need to log in
before you can comment on or make changes to this bug.
Description
•