Bugzilla Security Keywords

[Curtis Koenig]

In an effort to increase our ability to review bugs for security and to
get some metrics around where our efforts are showing results; the
security team has added two new keywords for use in Bugzilla:

* sec-review-needed
* sec-review-complete

If you have a bug that you believe needs security attention for say
implementation or patch review; you need some possible security input on
an issue or security guidance of some kind for example. Then please set
the keyword "sec-review-needed", we will review the item and determine
the appropriate action for our team to take.

While we are evaluating or working an issue this state will remain and
we will track the work being done or to be done via the security radar
site (http://wiki.mozilla.org/Security/Radar) just like we do our other
activities to date along with notes in the bug. We will also set this
flag on items that we see a need to for items that trickle up to our
attention. This work is alongside the work we now on traditional
security vulnerability bugs that are handled via our published process.
A large part of the goal here is to find issues before they become
vulnerabilities or security reports. This also has 2 other benefits.

1) To allow the community to help the security team find and act on
issues we may be unaware of
2) Track where we have done security work and track its effectiveness in
preventing possible issues.

This also fits into our goal of increasing our security reviews of both
features and patches and ensuring that the process is effective and
valuable to all involved. If you have questions about how we are
evolving the process please check out our wiki page
http://wiki.mozilla.org/Security or feel free to engage with us via IRC
on #security.

Thanks,
Curtis Koenig
Security Program Manager