• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AthhYg2CqN25dGRDX0ZqTkJ4dTJGWFVyb2RmNTNDbmc
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/
  • https://people.mozilla.com/~sarentz/p/dashboard
• [Jesse] Who can ensure that https://bugzilla.mozilla.org/show_bug.cgi?id=636374 gets fixed? Evil web sites are actively exploiting this.
  • curtis - talk to chang and see if we have good support data
  • we have lots of dupe bugs around this that should be strong data for fixing
  • freddy to link in bug to a sumo article
• Security Reports
• Process documentation
  • https://wiki.mozilla.org/Security/Process/Agile « ready for review
  • https://wiki.mozilla.org/Security/Process/Secreview_Bug_Process « ready for review
  • https://wiki.mozilla.org/Security/Process/Web_Bug_Triage «  ready for review
  • https://wiki.mozilla.org/Security/Process/Technical_Privacy_Review « actively being edited
  • vendor review « next to be worked on

[pauljt] FxA Review tomorrow - co-ordination? (just want to understand who is looking at what, maybe we can work this out after the review? Just making sure we dont miss stuff)

• [dchan] - just backend for tomorrow, though people working on the "client" pieces should attend to have an idea what is going on. I'll be filling out the info after meeting so that we have time to prepare for meeting.
  • OK thats answers my question i think.
• [psiinon] Zest blog post 'security review' https://mana.mozilla.org/wiki/display/SECURITY/Draft+blog+post%3A+Zest

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

Planned Blog Posts

• X-Frame-Options blog post!!1 to be published on wednesday
• [new] https://mana.mozilla.org/wiki/display/SECURITY/Security+Blog+Posts
• [old]https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q1:64 / Q2: 72 / Q3:55

https://security-review-statistics.vcap.mozillalabs.com/weekly << currently broken (best estimate 52)

Operations Security Update (Joe Stevensen)

• mozil1a.org firefox malware: https://bugzilla.mozilla.org/show_bug.cgi?id=947564#c15
• [tinfoil] website software versions by domain email from tinfoil last friday
  • ^-- did you see the mozilla.com.ph "compromise"? https://bugzilla.mozilla.org/show_bug.cgi?id=948282 "You [tinfoil] are not authorized to access bug #948282." [jeff] me either..can someone change the perms?

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operation Security