Web Images Videos Maps News Shopping Gmail more »
Recently Visited Groups | Help | Sign in
Google Groups Home
netscape.public.mozilla.security
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion Security bugs and disclosure
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Mike Shaver  
View profile  
 More options Mar 23 2000, 3:00 am
Newsgroups: netscape.public.mozilla.security
From: Mike Shaver <sha...@zeroknowledge.com>
Date: 2000/03/23
Subject: Security bugs and disclosure
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author
There's been some discussion of what Mozilla should do with security
bugs, and their fixes.

The following text comes from bug 28387:

------- Additional Comments From sha...@mozilla.org 2000-03-23 09:01
-------

Why is this bug Netscape-confidential?

------- Additional Comments From nor...@netscape.com 2000-03-23 09:47
-------

I've made this bug Netscape confidential as I have all open security
exploits
against the browser.

I hope you'll agree that having open exploits visible to all comers is
not the
right policy as more people begin using mozilla. I'll also agree that
Netscape-only isn't quite right--ideally it would be a set of trusted
people in
and out of Netscape that would have visibility access to open security
exploits.
It's a pain for instance that Georgi Guninski, who works from Bulgaria
and thus
doesn't have Netscape-only access, can't even see the bugs he's found.

Once exploits have been fixed and the fixes have had time to propagate
to enough
users, then the bugs should be open for all to view. I had been
switching bugs
over from Netscape Confidential to open once they were fixed, but now
even after
I fix bugs in the tip I've been leaving them Netscape Confidential since
the
bugs are present in the soon-to-be-released beta.

We could push mozilla.org to create a new category of visibility for
security
bugs and let them maintain a list of trusted viewers. I hadn't pushed
for this
because I wasn't sure the extra effort was worth the gain.

------- Additional Comments From sha...@mozilla.org 2000-03-23 10:01
-------

I think it's inappropriate for Netscape to be given special privileges
WRT
security bugs.  What about other users of the code, who might also be
shipping
product or beta that could contain these bugs?  They can't even _know_
about
this bug, or understand the motivation for code that you're checking
into the
Mozilla tree -- which they might or might not want in their product --
with the
current setting.  Why should the Mozilla community trust Netscape if
Netscape
doesn't trust the community?  (And why is it OK for _anyone_ at Netscape
-- plus
myself and perhaps a handful of other ex-Netscapers -- to see this?  Why
do they
deserve special trust, just because of their email address?)

I think that Netscape has ample opporunity to decide whether to fix
these bugs
in their beta, given that there are known fixes in hand.  If that is too
much
risk for the Netscape beta managers to take, then that is their
decision, and it
shouldn't impact the rest of the Mozilla community.

I personally believe that as soon as there is a fix, workaround or piece
of user
advice (``don't add bookmarks for javascript: URLs from untrusted
sites'')
that's sufficient to prevent or limit the danger, we shouldn't be
restricting it
at all.  (I think that restriction of vulnerability information should
only
occur in very dangerous, very specific cases, and it should probably
involve
discussion with st...@mozilla.org: this bug wouldn't be such a case, to
my mind,
but I'd have been happy to debate it with others.)

I also believe that people who are reporting bugs in Mozilla should be
reporting
them through Bugzilla.  If Georgi wants to report Netscape-beta bugs to
Netscape, that's his choice, but I think he should be working in
Bugzilla like
the rest of our bug reporters.

------- Additional Comments From nor...@netscape.com 2000-03-23 11:06
-------

Shaver: Yes, start a discussion on n.p.m.security. I agree that security
bugs
should have an audience wider than Netscape, I just think that there
needs to be
some secrecy surrounding known exploits in software that is in use. That
secrecy
benefits mozilla users and mozilla contributors and isn't a
Netscape-specific
benefit.

-----------------------------------------------------------------

I think we agree on the following points:
- keep security bugs relatively quiet (Security Group Only) until
  a fix is found, tested and committed
- Security Group needs to be different than ``Netscape only''

What's left to decide is, at least:
- how is the Security Group populated?

- what do we do once a fix is found?

- does our policy differ when we get to a ``production release'',
  versus our current not-yet-beta state?

I'll post with my thoughts on these topics in a reply, hopefully today.

Mike

--
256708.87 208576.27


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google