There has been a little confusion over the addition of sec-review-needed and sec-review-complete keywords that were added to bugzilla.mozilla.org in June that I hope I can clear up with this blog post. I have spoke about these a little on the dev.planning list, in the Tuesday engineering meeting and at the weekly all hands on July 11 (has slides). So I will use this to go into more detail as well as repeat a bit of what I have already presented.
What it is/not
This is a simply an indicator that someone feels the security team should be involved with an item. When I say security team I am talking about security on our development side (not our infrasec team). So if someone sets the keyword sec-review-needed we will triage the item and decide what kind of involvement we think is needed or any at all. This is not meant to block the landing, tracking, approval or any other normal work that would occur for a bug. Right now its just a way for us to get an idea of things we and others think we should be examining to improve security in our products. This is also primarily in Firefox, Thunderbird and their related projects. The idea is to start the scope small and get an idea of what this tells us. All these things could change or even be dropped if they are not useful.
The shortest and best answer is we need data. It would be very useful to know patches or areas that have undergone security review of some kind; and those that have not. If an item later has a security incident we can check if a security was done and what we missed and why, or that a review simply wasn’t done. Taking action without data is just guessing, so we need some data to start with so we can analyze what it means and the impact of actions we take. We are doing much the same thing with features and the feature pages. As with anything we have limited resource and we want to deploy those resources with maximum affect. To do that we have to have data on what we are doing and the outcomes of those actions.
If for any reason you think a bug you own or even if you don’t own it could benefit by some involvement from the security team then set the keyword sec-review-needed, we will triage it; make a decision as to action, make notes in the bug, maybe have some meetings and work with the developers to find the best course of action. Again this is _not_ meant to halt work or a bug, we want to find a constructive path to completion. When we are done we will set the keyword sec-review-complete, from this we should be able to build some basic metrics around our activities and their effectiveness and then continue to drive changes to improve the process.
If you have questions find me on irc or drop me some mail.