Issue metadata
Sign in to add a comment
|
Security: Code reviews for security or private bugs should be private as well
Reported by
resea...@nightwatchcybersecurity.com,
Apr 8 2016
|
||||||||||||||||||||
Issue descriptionRight now code reviews are public even if the underlying bug is private. Examples: https://codereview.chromium.org/1867553002/ https://bugs.chromium.org/p/chromium/issues/detail?id=600232 And our bug: https://codereview.chromium.org/1827303002 https://bugs.chromium.org/p/chromium/issues/detail?id=596354 It would be trivial to write a program that parses all code reviews, looks for bug links and hits them to check if they are private or not. This can result in something along the following which happened to FireFox: http://www.computerworld.com/article/2980745/web-browsers/mozilla-admits-bug-tracker-breach-led-to-attacks-against-firefox-users.html
,
Apr 10 2016
Mozilla approach here: https://wiki.mozilla.org/Security/Bug_Approval_Process
,
Apr 10 2016
Example of a two month bug: https://codereview.chromium.org/1577533002/ https://bugs.chromium.org/p/chromium/issues/detail?id=575275
,
Jul 16 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Mar 9 2017
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by kenrb@chromium.org
, Apr 8 2016