Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
Phone (Toronto): 416 848 3114 x92 Conf: 95316#
Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

[mcoates] Goals - Please keep status up to date - google doc
- First time using Google Docs
  - \o/\o/
  - Please don't add/delete/rearrange columns, because that might push the limits of the reporting mcoates set up
[jesse]

Exploitable crashes in crash-stats

- You can now see an 'exploitability' rating for each crash report (if you're logged into crash stats )
  - This feature was added in bug 794540
- In bug 819426 there's a CSV of exploitable crashes
- Cannot yet search for exploitable crashes -- bug 497731
[yboily] Marionette & JS Remote Debugging Protocol - security work/fuzzing that was done
- bug 832000
- desktop review: https://wiki.mozilla.org/Security/Reviews/Marionette
[curtisk] champions meeting update
Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
[pauljt] Re-hashed a central page for tracking B2G work https://wiki.mozilla.org/Security/B2G
- Its just a skeleton, but please contribute/update as we move forward
- How do we want to co-ordinate work? Do we need a weekly catch-up? If so, when?
[decoder] We got ASan builds from RelEng
- https://tbpl.mozilla.org/?noignore=1&jobname=asan
- Various work going on around getting test failures resolved and continuous tests running (details below)
- \o/
[dchan] will be in SF Feb 11-13
[yboily] out next week.

Planned Blog Posts

Speaking Engagements

(Who) : Date: Name of Event : Talk Title: Link
Simon Bennetts : Feb 2-3 : FOSDEM : Talking about ZAP :)
Raymond Forbes : Feb 27 - March 2 : Nullcon

Security Review Status (curtisk)

Completed in Q4 2012: 50
Number of Reviews Completed (so far this quarter): 19 (10)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2013-03-31;query_format=advanced;chfield=resolution;chfieldfrom=2013-01-01;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
Number of Outstanding Reviews: 116 (124)
- https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
Number of Reviews Ready For Review: 58 (65)
- https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20%2Bsw%3A%22pending%22%20-flag%3A%22needinfo%22
Number of reviews without risk rating: 53 (55)
- https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
Number of reviews without deadline set: 109 (114)
- https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
Find Yours:
- MIssing Risk Rating (Yours)
- Without Deadline (Yours)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Work ongoing in providing missing fonts to users - anyone know about fonts on android?

Sync (Simon Bennetts)

No update

Services (Simon Bennetts & Adam Muntner)

No Update

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

[decoder] 290 jit-tests landed and bugs marked in-testsuite+
[gkw, decoder] Fuzzed for bug 828466 and bug 830943

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

No update

Web Developer Tools (Mark Goodwin)

Work starting on taint project; have an undertaking from devtools to assist with frontend work (Ivan, our new contributor, will be leading the engineering work on this).
Ameya (the contributor who was previously working on Security Report) is back and getting set up (we'll see where this goes)

Networking (Christoph Diehl)

Bug 824919 landed and fixed a lot of WebRTC security bugs.

Media / Graphics (Christoph Diehl) =

Peach (Christoph Diehl / Raymond Forbes) =

Added JAR/ZIP fuzzer

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

We got ASan builds from RelEng: https://tbpl.mozilla.org/?noignore=1&jobname=asan
- Working on fixing orange builds (test incompatibilities/failures)
- Preparing tests for opt-builds (outstanding code changes)
  - https://bugzilla.mozilla.org/show_bug.cgi?id=833018

Security/Meetings/SecurityAssurance/2013-01-22

Contents

Agenda

Planned Blog Posts

Speaking Engagements

Security Review Status (curtisk)

Operations Security Update (Joe Stevensen)

Project Updates

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Sync (Simon Bennetts)

Services (Simon Bennetts & Adam Muntner)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

Web Developer Tools (Mark Goodwin)

Networking (Christoph Diehl)

Media / Graphics (Christoph Diehl) =

Peach (Christoph Diehl / Raymond Forbes) =

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

Navigation menu

Search