Closed Bug 288085 Opened 20 years ago Closed 20 years ago

enter_bug.cgi should mention TEMPORARY confidentiality for security bugs

Categories

(bugzilla.mozilla.org :: General, defect, P1)

Product:
bugzilla.mozilla.org
Component:
General
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: dveditz, Assigned: justdave)

Details

Preamble:
People don't read the linked security policy (don't blame them, we need
something more to the point--but they still won't read it). These people read
the text next to the security bug checkbox and think the confidentiality lasts
forever.

Some of these don't even pretend to be security bugs, they just don't want
whatever it is to be public (account details, names, whatever).

Solution:
Stress the temporary nature of confidentiality right in the entry form.

"This is a security problem that should be kept confidential until resolved"

My first thought was to say "patched" or "fixed" instead of "resolved", but a
lot of them are invalid or dupes and never get "fixed". And it's not entirely
accurate, problems that are deemed not to be exploitable cold be opened prior to
resolution, but I think it's close enough and gets the idea across.

I could also go for "... kept confidential temporarily" or "... temporarily kept
confidential". It's a bit vague but might encourage more reading of the security
policy. Scratch that, we really ought to point people at a clearer page first. I
vote for my first form.

I prefer "should be" to the current "needs to be" since it sounds more like the
recommendation it is instead of the incorrect statement of fact it is often
mistaken to be.
This make sense?

-----
      This is a security problem that needs to be kept confidential temporarily
until it is resolved 
      (<a
href="http://www.mozilla.org/projects/security/security-bugs-policy.html">security
policy</a>).
      All bugs will eventually become publicly visible.
-----
Priority: -- → P1
I think:

This is a security problem that should be kept confidential temporarily
until after it is resolved (<security policy>).

is plenty.

(The "after" shows that it won't necessarily be immediately opened up.)

Gerv

I don't like "after" because it isn't always true. Briefer is better, the longer
we make it the people will expect from it. I think I've come back around to my
first form:

This is a security problem that should be kept confidential until resolved
(<security policy>)


Dan: sounds fine.

Gerv
i'd like to toss out "addressed" instead of resolved. while some people will expect addressed to equal 
resolved/fixed, it could mean that someone looked at it and decided it's silly and squished the security 
flag. (it could also mean that the bug's confidential bits were squished as part of the addressing.)
(In reply to comment #5)
> i'd like to toss out "addressed" instead of resolved.

OK, fine. Can we make something happen now?
This can only be fixed by Myk or Dave, who have write access to the b.m.o.
Bugzilla installation.

Gerv
Severity: normal → critical
Done.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Thanks, looks great!
Status: RESOLVED → VERIFIED
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.