508145 - amo should host a security page with disclosure information about past security problems in addons.

Status: RESOLVED WONTFIX

(addons.mozilla.org :: Security, enhancement, P4)

Description

[chris hofmann]

maybe we should start a page like

http://www.mozilla.org/security/announce/ for addons to help inform developers and reviewers to avoid past mistakes and inform users about updates they need to get, or addons or classes of addons that might pose risks.

nick suggests we host the page on the new amo developer site planned to go live soon.

we would need some research to dig up and catalog past vulnerabilities, and the new additions that came out of this defcon session -- https://www.defcon.org/html/defcon-17/dc-17-speakers.html#Liverani

page should also link to a page that outlines the process and best practices for reporting security problems to addon developers, amo editors/reviewers, and amo site managers.

Comment 1

[Dave Garrett]

Sounds like a wonderful idea, though I expect the list to get quite long. Would probably need to split it up into one page for highly used add-ons and another for the rest.

Comment 2

[Brian King [:kinger]]

Related, we should also put an overview doc on MDC on best practices related to security. I have a document in the works that is currently being vetted/evaluated.

Comment 3

[Wil Clouser [:clouserw]]

-> nick for planning

Comment 4

[Nick Nguyen [:osunick]]

This is something that Jorge and Justin should consider for inclusion in Developer.amo.

Comment 5

[Wil Clouser [:clouserw]]

Thanks for filing this.  In an effort to not drown in existing reports we're aggressively closing old enhancements and bugs to get the buglist to a reasonable level so we can scope and process bug sprints in an effective manner.

Patches for this bug are still welcome.