Closed Bug 336339 Opened 18 years ago Closed 16 years ago

Better communication between Mozilla and Security Community

Categories

(mozilla.org :: Governance, task)

Product:
mozilla.org
Component:
Governance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gustavo, Assigned: ws)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3

I'm an Information Security Professional and I try to maintain informed with the latest security news. But today Firefox surprise me when asked to install a security update (1.5.0.3) that I wasn't expect. I think it is necessary a communication channel between Mozilla security team and Security Community, like "Microsoft Security Response Center Blog" (http://blogs.technet.com/msrc/). So, we (security professionals) could get information to assess the security risks, define workaround strategies and prepare to update Firefox and others Mozilla's applications quickly and cleanly.

Reproducible: Sometimes

Steps to Reproduce:
1. Mozilla release a new security update
2. I didn't receive any previous warning about this update
Actual Results:  
I delay to implement a corporate strategy to handle with this update

Expected Results:  
1. I receive an warning about a near to release security update
2. I plan a corporate strategy to handle with this update
3. Mozilla release the security update
4. I implement the update quickly and cleanly
Assignee: cbeard → zak
Component: General → Governance
Product: Marketing → mozilla.org
QA Contact: chofmann → governance
Version: unspecified → other
This particular release was a bit of a surprise, to respond to last week's public PoC.  Communication about the upcoming 1.5.0.4 (renamed from 1.5.0.3 because of today's release) has, I hope, been better. We've blogged about that one all over, and it should be released toward the end of May: http://wiki.mozilla.org/Firefox#Firefox_1.5.0.3_.28Deer_Park.29_Plan

A dedicated security blog wouldn't be a bad idea, rather than expect people to watch the general development blog.
(In reply to comment #1)
> A dedicated security blog wouldn't be a bad idea, rather than expect people to
> watch the general development blog.

DevNews had only three posts about security (http://developer.mozilla.org/devnews/index.php/categories/security/) and I think this among of information isn't enough.

There are some blogs like Asa and Ben's blogs that we could anticipate some security information, but they aren't dedicate to security and their informations are decentralized so we could easily miss some important notice.

Some Mozilla's pages are about security like http://www.mozilla.org/security/announce/, but these pages aren't easy to track like could be with a blog.

Finally, there are already the "Mozilla Developer News" and the "Mozilla QA Team" blogs, why not the Mozilla Security Team's blog.
As this relates to all Mozilla productis, it should eventually be handled by mozilla.org staff (when it reforms).

For the short term, we have:
* http://www.mozilla.org/projects/security/known-vulnerabilities.html
* http://www.mozilla.org/projects/security

I also wonder if putting up a prominent link to the security bugs in bugzilla would help?

Any other suggestions here (beyond what has been already suggested)?
Status: NEW → ASSIGNED
I don't think this is necessarily a matter for staff. Management of security bugs and security messaging has been delegated to the security group, because they are the experts. So I would suggest that staff only needs to consider the issue if the security group cannot agree on a good solution to the problem.

Gerv
(In reply to comment #4)
> Management of security
> bugs and security messaging has been delegated to the security group, because
> they are the experts.

This is not about to change the currently management of security, it is a suggestion to create a communication channel for security team informs security professionals (and heavy users) about upcoming or recently released patches, zero-day-exploits, possibles workarounds, and others informations that could help us to maintain the security of the Mozilla products at user side.
Window, we interpret this as a request for a public channel on security issues.

Could you evaluate this request and decide what action, if any, is required?
Assignee: zak → window
Status: ASSIGNED → NEW
I think the public channels and information is there to support the original request in comment 0.  That request was "information is needed to assess the security risks, define workaround strategies and prepare to update Firefox and others Mozilla's applications quickly and cleanly."

The vulnerabilities page, and the newly formed "Firefox & Thunderbird pre-release announcement lists" should provide the kind of information needed to make informed decisions.

See pre-release announcement page post for more info.
http://groups.google.com/group/mozilla.feedback.firefox.prerelease/browse_thread/thread/a09adfc0e8102ecd/#

One problem we still might have is navigation to this information.  A good and easy navigation path to the the vulnerability page from http://www.mozilla.org or http://www.mozilla.com doesn't exist, and still might confuse users when they hear a news blip about mozilla security updates and come to the main sites to try and find out more.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.