Upcoming changes to Firefox Security Advisories
90 views
Skip to first unread message
Frederik Braun
May 13, 2025, 6:14:17 PMMay 13
to dev-pl...@mozilla.org, Firefox Dev, Mozilla, security-group
Hi all,
For those who don't know, we publish detailed security advisories for every new Firefox release.
A typical advisory lists 10 to 20 security issues with a title, their severity, the reporter and a description. Writing these advisories is a cumbersome, manual process that takes too much time.
We believe that this is not time well spent.
We don't believe that people should make their decisions whether to update Firefox based on the individual CVEs that were fixed in a specific release. As an evergreen product in a connected world, Firefox is only kept secure if full browser updates are applied as soon as possible and not weighed on the little information that we can include in our description.
People that do need more information and are building software downstream of our source code may be nominated for our security group. This group gets insights into the actual bugs and their fixes ahead of release.
We will continue to make security bugs public once they have been fixed and when a significant portion of our users had the chance to apply an update. This typically happens a couple of months after the specific release.
As a result of these considerations, we would like to switch our security advisory format to a simpler template that contains less details. We intend to keep the following information: CVE-ID, Severity, Reporter, Title, Component and a reference to the bug on bugzilla.
We do not plan to implement these changes right away and want to gather feedback before doing so. If you are someone who relies on the information that we currently provide, please reply to this thread on dev-platform. If the details are very sensitive, feel free to send to secu...@mozilla.org instead.
Thank you,
Frederik Braun on behalf of the Firefox Application Security Team
Nick Alexander
May 13, 2025, 9:04:58 PMMay 13
to Frederik Braun, dev-pl...@mozilla.org, Firefox Dev, Mozilla, security-group
Hello sec team!
On Tue, May 13, 2025 at 5:44 AM 'Frederik Braun' via firef...@mozilla.org <firef...@mozilla.org> wrote:
Hi all,For those who don't know, we publish detailed security advisories for every new Firefox release.A typical advisory lists 10 to 20 security issues with a title, their severity, the reporter and a description. Writing these advisories is a cumbersome, manual process that takes too much time.We believe that this is not time well spent.We don't believe that people should make their decisions whether to update Firefox based on the individual CVEs that were fixed in a specific release. As an evergreen product in a connected world, Firefox is only kept secure if full browser updates are applied as soon as possible and not weighed on the little information that we can include in our description.People that do need more information and are building software downstream of our source code may be nominated for our security group. This group gets insights into the actual bugs and their fixes ahead of release.We will continue to make security bugs public once they have been fixed and when a significant portion of our users had the chance to apply an update. This typically happens a couple of months after the specific release.As a result of these considerations, we would like to switch our security advisory format to a simpler template that contains less details. We intend to keep the following information: CVE-ID, Severity, Reporter, Title, Component and a reference to the bug on bugzilla.
I am not so familiar with our sec process details. When the advisory is published, is the information needed to write the description publicly available? I.e., is the "reference to the bug on bugzilla" -- a link to the bug, I
assume -- open so that a motivated individual could plausibly produce the description themselves?
Thanks!
Nick
Gijs Kruitbosch
May 13, 2025, 9:33:42 PMMay 13
to Nick Alexander, Frederik Braun, dev-pl...@mozilla.org, Firefox Dev, Mozilla, security-group
When the advisory is published, is the information needed to write the description publicly available? I.e., is the "reference to the bug on bugzilla" -- a link to the bug, I assume -- open so that a motivated individual could plausibly produce the description themselves?
No. Advisories are published around the time the release goes out, and bugs (which typically contain a lot more detail about the specifics of the issue and the fix) are not opened up until users have broadly updated to builds containing the fix for the security issue. This is to avoid exposing users that are still on older builds to exploitation.
~ Gijs
--
You received this message because you are subscribed to the Google Groups "firef...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firefox-dev...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/firefox-dev/CAMnWBR0xEiorAnFGo6-Op3BZPdxMLxBvsZqmJfeTnuw_yxwLjQ%40mail.gmail.com.
Nick Alexander
May 13, 2025, 9:50:13 PMMay 13
to Gijs Kruitbosch, Frederik Braun, dev-pl...@mozilla.org, Firefox Dev, Mozilla, security-group
On Tue, May 13, 2025 at 9:03 AM Gijs Kruitbosch <gijskru...@gmail.com> wrote:
When the advisory is published, is the information needed to write the description publicly available? I.e., is the "reference to the bug on bugzilla" -- a link to the bug, I assume -- open so that a motivated individual could plausibly produce the description themselves?No. Advisories are published around the time the release goes out, and bugs (which typically contain a lot more detail about the specifics of the issue and the fix) are not opened up until users have broadly updated to builds containing the fix for the security issue. This is to avoid exposing users that are still on older builds to exploitation.
Thanks for clarifying, Gijs. So: there is less information published, and a justification for that reduction based on the effort involved. Fine by me!
Nick
Daniel Veditz
May 14, 2025, 9:07:38 AMMay 14
to Nick Alexander, Frederik Braun, dev-pl...@mozilla.org, Firefox Dev, Mozilla, security-group
On Tue, May 13, 2025 at 8:34 AM 'Nick Alexander' via dev-pl...@mozilla.org <dev-pl...@mozilla.org> wrote:
I am not so familiar with our sec process details. When the advisory is published, is the information needed to write the description publicly available? I.e., is the "reference to the bug on bugzilla" -- a link to the bug, I assume -- open so that a motivated individual could plausibly produce the description themselves?
The bugzilla link is there to tie the public CVE identifier with the bugzilla ID known and used by the folks who work on Firefox. It's not required, but it's useful in an open source project. Chrome also links to their internal bug numbers when they publish CVE information (the bugs remain hidden for a while like ours). Apple doesn't give any kind of internal reference for Safari vulnerabilities, not even the ones filed in their bugzilla for webkit.
In case it's useful for comparison, here are links to some recent browser advisories:
Daniel Veditz
May 22, 2025, 7:42:17 AM (12 days ago) May 22
to Nick Alexander, Frederik Braun, dev-pl...@mozilla.org, Firefox Dev, Mozilla, security-group
On Tue, May 13, 2025 at 8:37 PM Daniel Veditz <dve...@mozilla.com> wrote:
Apple doesn't give any kind of internal reference for Safari vulnerabilities, not even the ones filed in their bugzilla for webkit.
The webkit part is just plain wrong, and I even included a link that proves me wrong:
Sorry folks, don't know where my head was at.
Reply all
Reply to author
Forward
0 new messages
Search
Clear search
Close search
Google apps
Main menu