Add John Karahalis and Ali Spivak to group "Security-Sensitive Websites"

RESOLVED FIXED
(NeedInfo from)

Status

()

bugzilla.mozilla.org
Administration
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: openjck, Assigned: reed, NeedInfo)

Tracking

Production

Details

(Reporter)

Description

5 years ago
Please add me (jkarahalis@mozilla.com) and my manager Ali (aspivak@mozilla.com) to the "Security-Sensitive Websites" group so that we can see security-sensitive bugs filed against MDN by default.

In fact, I wonder if it would make sense to open this permission to all Mozilla employees. We are not going to exploit our own products, and the risk of making bugs invisible to the people who could fix them (e.g., me, Ali, and the people on my team) might outweigh the risk of opening security-sensitive bugs up to anyone in the company. Just my two cents.
Adding dveditz and mcoates to bug cc as they are admins for the group and will approve the change.

dkl
(Reporter)

Comment 2

5 years ago
Friendly ping. Any updates?
(Assignee)

Comment 3

5 years ago
(In reply to John Karahalis [:openjck] from comment #0)
> Please add me (jkarahalis@mozilla.com) and my manager Ali
> (aspivak@mozilla.com) to the "Security-Sensitive Websites" group so that we
> can see security-sensitive bugs filed against MDN by default.

Added.

> In fact, I wonder if it would make sense to open this permission to all
> Mozilla employees. We are not going to exploit our own products, and the
> risk of making bugs invisible to the people who could fix them (e.g., me,
> Ali, and the people on my team) might outweigh the risk of opening
> security-sensitive bugs up to anyone in the company. Just my two cents.

Sorry, not going to happen. Risks are just too high, especially considering the critical severity of some bugs. In fact, on the main security group, we're working on cutting down the number of people who can see security bugs. Too many potential problems.
Assignee: nobody → reed
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 4

5 years ago
I understand. I still feel that Bugzilla could handle this better, though. Our team recently discovered 10+ active, weeks-old security flaws on MDN. If we had only known about them, we could have fixed them and protected our users from harm sooner.

I see that making security-sensitive bugs available to all Mozilla employees might not be the best approach, but perhaps Bugzilla could do something else, something that better balances making these bugs available to the right people without exposing them to the wrong people.
(In reply to John Karahalis [:openjck] from comment #4)

We're working on this exact issue. We want to identify key individuals from each team and ensure they have proper visibility into security bugs specific to their areas. I added Yvan to this bug. He's a good person to follow up with via email to discuss suggested enhancements from a workflow perspective.
(In reply to Michael Coates [:mcoates] from comment #5)
> (In reply to John Karahalis [:openjck] from comment #4)
> 
> We're working on this exact issue. We want to identify key individuals from
> each team and ensure they have proper visibility into security bugs specific
> to their areas. I added Yvan to this bug. He's a good person to follow up
> with via email to discuss suggested enhancements from a workflow perspective.

We could extend the WebService code to allow updating of user's permissions and you could use some script on your end to periodically make sure that people have the right permissions. There is bug 469196 about this upstream but no patch that I can see yet. 

dkl
Re-ping on this ...

:yvan - is there a way to add all MDN dev staffers to a group that can see all security bugs in the Mozilla Developer Network product on bugzilla?
Flags: needinfo?(yboily)
You need to log in before you can comment on or make changes to this bug.