Updates to Firefox Sec Approval, Rating Process, and Keywords

188 views
Skip to first unread message

Tom Ritter

unread,
Jun 18, 2026, 2:24:04 PM (8 days ago) Jun 18
to dev-pl...@mozilla.org

On behalf of the security team, we wanted to take this opportunity to thank everyone for their continued resilience in the onslaught of security bugs, as well as the varying levels of quality we’ve been getting out of models. What works well one month seems to not work as well the next month, and we’re trying to adapt.


We also want to try to reduce friction and give you more agency and the confidence to use it, so we’re changing some of the processes:


  1. The csectype-sandbox-escape keyword is for sandbox escapes to the Parent process *only* and where the attacker gets some sort of code exec or OS access (like arbitrary file read).  If it’s to another process - it would get csectype-priv-escalation. If it’s “I can read another origin’s data” it’s csectype-site-isolation.

  2. When you are ready to land a patch, and the bug is not yet rated sec-high, moderate or low - please give it a rating.  If you’re not sure how to rate it, leave us a simple comment saying the impact of the bug, and we will find it and rate it eventually.

    1. Examples: “With a compromised content process, an attacker can tell what websites you have open in PBM” or “In an unsupported configuration this is a sandbox escape”

    2. If you get any pushback from external reporters, you can just say something like “I will let the bug bounty committee review and correct it if needed.”

  3. The sec-approval process is being significantly trimmed.  You will ONLY need to request sec-approval if the bug has the csectype-sandbox-escape tag.  (We will typically hold these until midway through the cycle)

    1. Please ensure the tracking flags are set correctly for beta and esr branches though!


We are updating our documentation, but please reach out if something is missing, outdated, or unclear.


We’re also going to have more updates to processes this year - more detailed rating (and bounty) matrices that take into account different process types, automated rating and triage tools, so if you have feedback about how you would like things to work, please let us know.


References:

Client Severity Ratings and Keyword Definitions: https://wiki.mozilla.org/Security_Severity_Ratings/Client 


Reply all
Reply to author
Forward
0 new messages