• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [Jesse] Fuzzing team discussed Q4 and 12-month goals: https://security.etherpad.mozilla.org/dveditzQ4goalscratchpad
  • http://memegenerator.net/instance/10745382
• [Mcoates] Java Vuln - http://seclists.org/bugtraq/2012/Sep/109
• [Mcoates] Talk about Goals
• [gkw] New hire bullet points
  • Security Bugs
    • When filing a security related bug, check the box labelled:
      • "Many users could be harmed by this security problem: it should be kept hidden from the public until it is resolved."
    • Always be more conservative than necessary
    • Bugs will be opened up if they deemed not sensitive
  • Security Reviews
    • Engage the Security Assurance team early on as we may be able to help you avoid security concerns
    • File a security review for evaluating the security aspect of a project proposal
    • File a security review for a new feature
    • More information at https://wiki.mozilla.org/Security/ or at #security
• Project Kick Off Form - https://wiki.mozilla.org/Kick-Off_Form
• [rforbes] HSM usage and stuff
• [gkw] http://gear.mozilla.org just got released
  • "Splendidest"?!
  • We just un-released it.
• Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q3+Goals

Security Review Status (koenig)

• Completed in Q3 2012:
• Number of Reviews Completed (so far this quarter):55 (51)
  • https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-06-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org;list_id=4490009
• Number of Outstanding Reviews: 143(144)

https://bugzilla.mozilla.org/buglist.cgi?chfieldto=Now;chfield=bug_status;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;list_id=4490010 up higher :)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

• the system is still changing

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Sync (Simon Bennetts & Adam Muntner)

Services (Simon Bennetts & Adam Muntner)

Social - Pancake (Mark Goodwin)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• [decoder] Minor amount of regressions due to IonMonkey on mozilla-central, fuzzing x86 and ARM to shake them out until aurora uplift.
• [Jesse & gkw] We have multicore jsfunfuzz'ing!

DOM, XPConnect (Jesse Ruderman)

• [Jesse & gkw] We have multicore domfuzz'ing!

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• [gkw & Jesse] Grappling with Valgrind builds on tbpl

Web Developer Tools (Mark Goodwin)

Networking (Christoph Diehl)

• No update

Graphics (Christoph Diehl) =

• No update

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

lots of updates.

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

• Major blockers for ASan on try landed, but memory constraints on try are problematic with ASan in general.