Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
Phone (Toronto): 416 848 3114 x92 Conf: 95316#
Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
[mcoates] Company wide updates
[yvan / curtis] Reviews - Refining handling & scoping effort, time,
[mcoates] 1on1s
[mcoates] Kilimanjaro
- https://wiki.mozilla.org/Kilimanjaro
- https://wiki.mozilla.org/Kilimanjaro/ProductDraft
- We will prioritize reviews that are blocking Kilimanjaro, starting with WebRT
[mcoates] Work Week
- When: Late June, Early July? - (Infra: London Aug 12) Aug 13-17, 20-24, Sept
  - http://www.doodle.com/
  - Where: Europe - London?
  - Berlin in Oktober? ahem. AppSecUSA October 22 – 26, 2012
  - Including volunteers/community members, or employees only? - Want to include some community
[Jesse] Google upped their bug bounty for web sites (but not for Chrome)
- http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html
- http://www.infoworld.com/t/hacking/bug-bounty-hunters-weigh-in-googles-vulnerability-reporting-program-191710 - Jesse was quoted :) \o/
[mcoates] Embedded team members: remember that you can ask for help from other security team members; you don't have to do everything yourself.
[mcoates] Bugzilla mail tips & tricks
- https://etherpad.mozilla.org/bugzilla-filter-tips
[decoder] We got Linux Firefox+ASan builds on try now, if you need one, ping me. \o/

Security Review Status (koenig)

Number of Reviews Completed (so far this quarter): 40 (last week 16) <-- nice work
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 21
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =19
Number of Outstanding Reviews: 172 (last week 129)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 122

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault)

Browser API is a bit more defined now (iframe mozbrowser) https://wiki.mozilla.org/WebAPI/BrowserAPI
B2G workweek in san diego next week
- Define security review process/get team onboard
- Review draft Web App Permission Process
Security reviews started moving slowly, but most features are not completed
- Documenting threats in the meantime

Thunderbird (Dan Veditz)

Rust (Jesse Ruderman)

Upcoming “lifetimes” feature could be awesome. Moves the “pass by reference” concept into the typesystem and makes more general.
- http://smallcultfollowing.com/babysteps/blog/2012/04/25/references/
- http://pcwalton.github.com/blog/2012/04/23/why-lifetimes/

Mobile (David Chan)

no update

Sync (David Chan & Yvan Boily)

still working on sync 2.0

Services (David Chan & Yvan Boily)

notifications review being scheduled

Social - Pancake (Mark Goodwin)

Much frantic bug fixing going on in prep for public release. Some security stuff outstanding, but they won't be progressing without resolving.

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

[gkw] More ESR fuzzing
[gkw] Pushed along some Valgrind issues on TBPL

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

Great feedback again for us getting ateam secreviews back on track
- Embedding is effective

Web Developer Tools (Mark Goodwin)

I'm having fun on a first bug :D - little else to report.

Networking (Christoph Diehl)

Going to port Server-Sent DOM Events to Peach
Still working on SPDY v3

Graphics (Christoph Diehl) =

Going to re-test some older items with ASAN builds (graphite, icon, bitmap)
Filed more Opus bugs

Market (Raymond Forbes)

Launching soon?

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Apps in the Cloud (David Chan)

client needs review

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

- 3rd party review to be pushed

Identity Services (David Chan)

working on sign into browser

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

TellUsMore review is happening late this / early next week.

Security/Meetings/SecurityAssurance/2012-05-01

Contents