richard pushed to branch base-browser-115.9.0esr-13.5-1 at The Tor Project / Applications / Tor Browser

Commits:

1 changed file:

Changes:

  • .gitlab/issue_templates/Emergency Security Issue.md
    1
    +**NOTE** This is an issue template to standardise our process for responding to and fixing critical security and privacy vulnerabilities, exploits, etc.
    
    2
    +
    
    3
    +## Information
    
    4
    +
    
    5
    +### Related Issue
    
    6
    +- tor-browser#AAAAA
    
    7
    +- mullvad-browser#BBBBB
    
    8
    +- tor-browser-build#CCCCC
    
    9
    +
    
    10
    +#### Affected Platforms
    
    11
    +
    
    12
    +- [ ] Android
    
    13
    +- [ ] Desktop
    
    14
    +  - [ ] Windows
    
    15
    +  - [ ] macOS
    
    16
    +  - [ ] Linux
    
    17
    +
    
    18
    +### Type of Issue: What are we dealing with?
    
    19
    +
    
    20
    +- [ ] Security (sandbox escape, remote code execution, etc)
    
    21
    +- [ ] Proxy Bypass (traffic contents becoming MITM'able)
    
    22
    +- [ ] De-Anonymization (otherwise identifying which website a user is visiting)
    
    23
    +- [ ] Cross-Site Linkability (correlating sessions across circuits and websites)
    
    24
    +- [ ] Disk Leak (persisting session information to disk)
    
    25
    +- [ ] Other (please explain)
    
    26
    +
    
    27
    +### Involvement: Who needs to be consulted and or involved to fix this?
    
    28
    +
    
    29
    +- [ ] Applications Developers
    
    30
    +  - [ ] **boklm** : build, packaging, signing, release
    
    31
    +  - [ ] **clairehurst** : Android, macOS
    
    32
    +  - [ ] **dan** : Android, macOS
    
    33
    +  - [ ] **henry** : accessibility, frontend, localisation
    
    34
    +  - [ ] **ma1** : firefox internals
    
    35
    +  - [ ] **pierov** : updater, fonts, localisation, general
    
    36
    +  - [ ] **richard** : signing, release
    
    37
    +  - [ ] **thorin** : fingerprinting
    
    38
    +- [ ] Other Engineering Teams
    
    39
    +  - [ ] Networking (**ahf**, **dgoulet**)
    
    40
    +  - [ ] Anti-Censorship (**meskio**, **cohosh**)
    
    41
    +  - [ ] UX (**donuts**)
    
    42
    +  - [ ] TPA (**anarcat**, **lavamind**)
    
    43
    +- [ ] External Tor Partners
    
    44
    +  - [ ] Mozilla
    
    45
    +  - [ ] Mullvad
    
    46
    +  - [ ] Brave
    
    47
    +  - [ ] Guardian Project (Orbot, Onion Browser)
    
    48
    +  - [ ] Tails
    
    49
    +  - [ ] Other (please list)
    
    50
    +
    
    51
    +### Urgency: When do we need to act?
    
    52
    +
    
    53
    +- [ ] **ASAP** :rotating_light: Emergency release :rotating_light:
    
    54
    +- [ ] Next scheduled stable
    
    55
    +- [ ] Next scheduled alpha, then backport to stable
    
    56
    +- [ ] Next major release
    
    57
    +- [ ] Other (please explain)
    
    58
    +
    
    59
    +#### Justification
    
    60
    +
    
    61
    +<!-- Provide some paragraph here justifying the logic behind our estimated urgency -->
    
    62
    +
    
    63
    +### Side-Effects: Who will be affected by a fix for this?
    
    64
    +Sometimes fixes have side-effects: users lose their data, roadmaps need to be adjusted, services have to be upgraded, etc. Please enumerate the known downstream consequences a fix to this issue will likely incur.
    
    65
    +- [ ] End-Users (please list)
    
    66
    +- [ ] Internal Partners (please list)
    
    67
    +- [ ] External Partners (please list)
    
    68
    +
    
    69
    +## Todo:
    
    70
    +
    
    71
    +### Communications
    
    72
    +
    
    73
    +- [ ] Start an initial email thread with the following people:
    
    74
    +  - [ ] **bella**
    
    75
    +  - [ ] Relevant Applications Developers
    
    76
    +  - [ ] **(Optional)** **micah**
    
    77
    +    - if there are considerations or asks outside the Applications Team
    
    78
    +  - [ ] **(Optional)** Other Team Leads
    
    79
    +    - if there are considerations or asks outside the Applications Team
    
    80
    +  - [ ] **(Optional)** **gazebook**
    
    81
    +    - if there are consequences to the organisation or partners beyond a browser update, then a communication plan may be needed
    
    82
    +
    
    83
    +/cc @bella
    
    84
    +/cc @ma1
    
    85
    +/cc @micah
    
    86
    +/cc @richard
    
    87
    +
    
    88
    +/confidential
    
    89
    +
    
    90
    +Godspeed! :pray: