How are security vulnerabilities handled?

Frequently Asked Questions about the Pale Moon browser and their answers.
User avatar
Pale Moon guru
Pale Moon guru
Posts: 32443
Joined: 2011-08-28, 17:27
Location: Tranås, SE

How are security vulnerabilities handled?

Unread post by Moonchild » 2020-01-09, 16:26

Since people don't seem to understand how this is normally done despite it having been explained several times already, here's a FAQ entry for it.

How are security vulnerabilities handled?

They are handled primarily by me (Moonchild) personally being in touch with the Mozilla Security team which provides me with access to relevant bugs on bugzilla, but only after Mozilla has deemed it safe to release to non-team members (which is usually a few days to a week after a Firefox release, and only insofar the sec bugs have been solved in that particular release, regardless of the criticality of the vulnerability in the wild). This means that every Firefox cycle, but only after release and publication of advisories by Mozilla, I perform an audit of which bugs are applicable and write or port patches to solve sec issues that apply to our code.

This has been done this way for many years and while not ideal, it is most definitely an acceptable solution that keeps us updated with applicable sec fixes for the platform and applications.

Is Mozilla-discovered vulnerability X applicable to UXP-based application Y?

Whether or not a particular Mozilla security issue is Applicable and needs a fix, a patch is DiD (defense-in-depth), or the issue is N/A will be evaluated in due course (see above) as they have been for the past decade or so. You will see a summary of MozSec patches in the application's release notes or in the relative Pale Moon version's release notes when a security update is released.

You may also be able to track commits for sec issues on the Unified XUL Platform repository if you know what you are looking for. However, security issue vulnerabilities should not be discussed on public and web search indexed areas such as the forum for obvious reasons. Any thread started with "Is Pale Moon vulnerable to sec issue X" is subject to deletion. This should not be interpreted as ignoring the issue, but rather as the normal best practice to keep security vulnerability discussion limited to the people directly involved in their reporting and resolution to not provide unnecessary bulls-eye targets on code, platforms or products through full disclosure before it is reasonable to do so. It doesn't matter in that respect if some malicious parties are using something "in the wild" or not.
While "in the wild" exploits will of course get priority over theoretical ones, it will still take some time for issues to be fixed and verified, and while that is still in progress we cannot disclose any details, including whether something is applicable or not.
"The best revenge is to not be like the person who wronged you." -- Marcus Aurelius
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb