Closed
Bug 336339
Opened 18 years ago
Closed 16 years ago
Better communication between Mozilla and Security Community
Categories
(mozilla.org :: Governance, task)
mozilla.org
Governance
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gustavo, Assigned: ws)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3 I'm an Information Security Professional and I try to maintain informed with the latest security news. But today Firefox surprise me when asked to install a security update (1.5.0.3) that I wasn't expect. I think it is necessary a communication channel between Mozilla security team and Security Community, like "Microsoft Security Response Center Blog" (http://blogs.technet.com/msrc/). So, we (security professionals) could get information to assess the security risks, define workaround strategies and prepare to update Firefox and others Mozilla's applications quickly and cleanly. Reproducible: Sometimes Steps to Reproduce: 1. Mozilla release a new security update 2. I didn't receive any previous warning about this update Actual Results: I delay to implement a corporate strategy to handle with this update Expected Results: 1. I receive an warning about a near to release security update 2. I plan a corporate strategy to handle with this update 3. Mozilla release the security update 4. I implement the update quickly and cleanly
Updated•18 years ago
|
Assignee: cbeard → zak
Component: General → Governance
Product: Marketing → mozilla.org
QA Contact: chofmann → governance
Version: unspecified → other
Comment 1•18 years ago
|
||
This particular release was a bit of a surprise, to respond to last week's public PoC. Communication about the upcoming 1.5.0.4 (renamed from 1.5.0.3 because of today's release) has, I hope, been better. We've blogged about that one all over, and it should be released toward the end of May: http://wiki.mozilla.org/Firefox#Firefox_1.5.0.3_.28Deer_Park.29_Plan A dedicated security blog wouldn't be a bad idea, rather than expect people to watch the general development blog.
Reporter | ||
Comment 2•18 years ago
|
||
(In reply to comment #1) > A dedicated security blog wouldn't be a bad idea, rather than expect people to > watch the general development blog. DevNews had only three posts about security (http://developer.mozilla.org/devnews/index.php/categories/security/) and I think this among of information isn't enough. There are some blogs like Asa and Ben's blogs that we could anticipate some security information, but they aren't dedicate to security and their informations are decentralized so we could easily miss some important notice. Some Mozilla's pages are about security like http://www.mozilla.org/security/announce/, but these pages aren't easy to track like could be with a blog. Finally, there are already the "Mozilla Developer News" and the "Mozilla QA Team" blogs, why not the Mozilla Security Team's blog.
Comment 3•18 years ago
|
||
As this relates to all Mozilla productis, it should eventually be handled by mozilla.org staff (when it reforms). For the short term, we have: * http://www.mozilla.org/projects/security/known-vulnerabilities.html * http://www.mozilla.org/projects/security I also wonder if putting up a prominent link to the security bugs in bugzilla would help? Any other suggestions here (beyond what has been already suggested)?
Status: NEW → ASSIGNED
Comment 4•18 years ago
|
||
I don't think this is necessarily a matter for staff. Management of security bugs and security messaging has been delegated to the security group, because they are the experts. So I would suggest that staff only needs to consider the issue if the security group cannot agree on a good solution to the problem. Gerv
Reporter | ||
Comment 5•18 years ago
|
||
(In reply to comment #4) > Management of security > bugs and security messaging has been delegated to the security group, because > they are the experts. This is not about to change the currently management of security, it is a suggestion to create a communication channel for security team informs security professionals (and heavy users) about upcoming or recently released patches, zero-day-exploits, possibles workarounds, and others informations that could help us to maintain the security of the Mozilla products at user side.
Comment 6•17 years ago
|
||
Window, we interpret this as a request for a public channel on security issues. Could you evaluate this request and decide what action, if any, is required?
Assignee: zak → window
Status: ASSIGNED → NEW
Comment 7•17 years ago
|
||
I think the public channels and information is there to support the original request in comment 0. That request was "information is needed to assess the security risks, define workaround strategies and prepare to update Firefox and others Mozilla's applications quickly and cleanly." The vulnerabilities page, and the newly formed "Firefox & Thunderbird pre-release announcement lists" should provide the kind of information needed to make informed decisions. See pre-release announcement page post for more info. http://groups.google.com/group/mozilla.feedback.firefox.prerelease/browse_thread/thread/a09adfc0e8102ecd/# One problem we still might have is navigation to this information. A good and easy navigation path to the the vulnerability page from http://www.mozilla.org or http://www.mozilla.com doesn't exist, and still might confuse users when they hear a news blip about mozilla security updates and come to the main sites to try and find out more.
Reporter | ||
Comment 8•16 years ago
|
||
The blog bellow resolves this request. http://blog.mozilla.com/security/2007/06/01/new-mozilla-security-blog/
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•