How are security vulnerabilities handled?

[Moonchild]

Since people don't seem to understand how this is normally done despite it having been explained several times already, here's a FAQ entry for it.

How are known security vulnerabilities handled?

They are handled primarily by me (Moonchild) personally being in touch with the Mozilla Security team which provides me with access to relevant bugs on bugzilla, but only after Mozilla has deemed it safe to release to non-team members (which is usually a few days to a week after a Firefox release, and only insofar the sec bugs have been solved in that particular release, regardless of the criticality of the vulnerability in the wild). This means that every Firefox cycle, but only after release and publication of advisories by Mozilla, I perform an audit of which bugs are applicable and write or port patches to solve sec issues that apply to our code.

This has been done this way for many years and while not ideal, it is most definitely an acceptable solution that keeps us updated with applicable sec fixes for the platform and applications.

Is Mozilla-discovered vulnerability X applicable to UXP-based application Y?

Whether or not a particular Mozilla security issue is Applicable and needs a fix, a patch is DiD (defense-in-depth), or the issue is N/A will be evaluated in due course (see above) as they have been for the past decade or so. You will see a summary of MozSec patches in the application's release notes or in the relative Pale Moon version's release notes when a security update is released.

You may also be able to track commits for sec issues on the Unified XUL Platform repository if you know what you are looking for. However, security issue vulnerabilities should not be discussed on public and web search indexed areas such as the forum for obvious reasons. Any thread started with "Is Pale Moon vulnerable to sec issue X" is subject to deletion. This should not be interpreted as ignoring the issue, but rather as the normal best practice to keep security vulnerability discussion limited to the people directly involved in their reporting and resolution to not provide unnecessary bulls-eye targets on code, platforms or products through full disclosure before it is reasonable to do so. It doesn't matter in that respect if some malicious parties are using something "in the wild" or not.
While "in the wild" exploits will of course get priority over theoretical ones, it will still take some time for issues to be fixed and verified, and while that is still in progress we cannot disclose any details, including whether something is applicable or not.

How do I report a security vulnerability in Pale Moon or other UXP applications?

Our repo does not easily allow sensitive bugs to be filed, which would otherwise be the preferred method. Lacking that, any serious security vulnerability in the software should be reported in private to me either via private message here on the forum, or via e-mail to moonchild @ our domain. Please PGP encrypt your e-mail if you are able using the published PGP key for that address. Include as much detail about the security issue as possible, like the type of issue, any crash data, threat analysis, potential impact, steps to reproduce, etc. (i.e. all the normal stuff you'd expect a proper vulnerability report to contain). Do not post any of this publicly on the forum or in our repo.