• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• Welcome Christiane Ruetten [:cr] https://phonebook.mozilla.org/#search/cruetten (she says "ohai")
• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdEI4SlE0eGRWdkN5bXBpbV8wcjNzNUE
• Q1 Wrapup
  • [Jesse] I'm happy with Q1 browser changes: removal of window.Components, CSS columns fixes, cookie policy, ASan/TSan fixes and annotations, plugin click-to-play improvements
  • [gkw] a big thank you to all who helped get machines for the fuzzer folks, shoutout goes to abillings for following through
  • Q1 goal spreadsheet will be locked down soon
  • In the next week, copy/paste your goals into work.com and add narrative (which might include non-goal work you did)
• Q2 Planning
• [curtis / Jesse] work week fuzzing day
  • talking to RIM about having a mobile fuzzing presence
  • [Jesse] Should we invite other DOM fuzzing people from other companies? (Inferno from Google, etc)
• [Jesse] It would be nice if people with non-Mozilla-hosted WordPress blogs could benefit from AppSec's work to determine which plugins are sketchy, reviewed, etc.
  • [tinfoil] We could make a WordPress plugin to scan your WordPress plugins! plugin fix plugin!
  • [tinfoil] It's sorta possible to determine whether some plugins are installed (but not whether they're enabled) (but sometimes they introduce vulns even when disabled)
• [yvan] WordPress blogs could go read-only if they switch to DISQUS for comments
  • [jesse] But eww then we're loading third-party scripts, and not searchable, and lose control over backups
• [dveditz] Draft paper comparing browser bug bounty programs
  • Paper shows that Chrome fixes their bounty bugs faster (?)
    • [decoder] Chromium seems to have a top-down approach to assigning security bugs to developers
      • Can we do that too?

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• Psiinon LatAm Uruguay (remote) tomorrow
• MGoodwin 10th @ Sheffild Hallam (will update talks pages)
• Yvan, BSidesWinnipeg (November)
• Yvan,
• Yvan,
• St3fan, Submitted a talk about Firefox OS to OHM2013 https://ohm2013.org
• St3fan, Will submit a talk about Minion to OHM2013

Planned Blog Posts

• https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Metrics (curtisk)

• Security Reviews Completed in Q1 2013: 66

https://security-review-statistics.vcap.mozillalabs.com/weekly

• • Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
• https://people.mozilla.com/~sarentz/p/websecbugs/

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

• [gkw] Released orangfuzz - a Firefox OS UI fuzzer based on top of the orangutan framework (development may be a Q2 goal)
  • https://github.com/mozilla/orangfuzz
  • https://github.com/wlach/orangutan

Firefox Core

MarketPlace

Web Apps

Services

Operation Security