Security/Meetings/SecurityAssurance/2014-06-17

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

Agenda

Hosted by Appsec

  • curtis: Metrics
  • [curtisk] New mentoring tags
    • When marking bugs as [good first bug], you should now include your email address (?)
  • Aabha: Bug bounty Hall of Fame
    • We plan to put more metadata (such as who the bounty was awarded to) in the *attachment description* to make this more toolable
    • Test instances for Bugzilla and Mozillian have been deployed.
    • Able to fetch the required info from both Bugzilla and Mozillian DB
  • piyushw: Booting up with Angular JS, experimenting with Minion Code
  • dchan - Shumway
    • https://people.mozilla.org/~dchan/html5/template.html?full#slide0
    • https://github.com/mozilla/shumway/tree/nat
    • Written in TypeScript. Types are checked statically, then the type information is removed as it is converted to JavaScript to run in the browser.
    • [Jesse] I hope we're not planning to support the intentional security holes in Flash, such as the ability to set the clipboard
    • At least two quarters from launching
    • Won't be sandboxed the same way as new versions of Adobe Flash Player. But also less room for memory safety issues, because most of it is implemented in JS / TS / AS.
    • https://etherpad.mozilla.org/shumway-security-testing
    • [Jesse] Who has found Flash security policy bugs in the past? Have we invited them to poke at Shumway?
    • [freddyb] I worry about capability leaks due to differences between web and flash security model (in particular, because embedding a flash file and embedding a script have are supposed to have different meanings)
    • Should we run a special bounty, like we did for pkix?
  • [joe] Introducing GENE WOOD. Welcome to the OpSec team! "gene" on IRC.
  • sec-champs now has a mozillians group

Team Updates (Silent)

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operations Security