<html>

  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">-relman,gofaster,mgrimes<br>

      +Selena<br>

      <br>

      On 01/10/2016 00:48, J. Ryan Stinnett wrote:<br>

    </div>

    <blockquote

cite="mid:CA+952WrE_LQUCPrQ2gP9jtsLBQCjxpKru9=w7ryf2-RoNVHuOw@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div class="gmail_extra"><br>

          <div class="gmail_quote">On Fri, Sep 30, 2016 at 8:41 AM, Gijs

            Kruitbosch <span dir="ltr"><<a moz-do-not-send="true"

                href="mailto:gijskruitbosch@gmail.com" target="_blank">gijskruitbosch@gmail.com</a>></span>

            wrote:<br>

            <blockquote class="gmail_quote" style="margin:0px 0px 0px

              0.8ex;border-left:1px solid

              rgb(204,204,204);padding-left:1ex">

              <div id="gmail-:vn" class="gmail-a3s gmail-aXjCH

                gmail-m1577b542054ec998">In this specific case, it

                sounds like you're already talking to the security team.

                They would be the best people to judge if you (still)

                need a formal security review to happen on the code

                you're landing. If you haven't talked to them about

                this, now would be a good time. For other projects, a

                quick web search gets me: <a moz-do-not-send="true"

href="https://wiki.mozilla.org/Security#Request_a_Security_or_Privacy_Review"

                  rel="noreferrer" target="_blank">https://wiki.mozilla.org/Secur<wbr>ity#Request_a_Security_or_<wbr>Privacy_Review</a>

                which seems fairly straightforward to me.<span

                  class="gmail-"></span></div>

            </blockquote>

          </div>

          <br>

        </div>

        <div class="gmail_extra">I suppose this is the wrong venue for

          this rabbit hole,</div>

      </div>

    </blockquote>

    I think fx-dev is a fine venue as far as desktop product security is

    concerned. I've taken us out of the earlier thread, though.<br>

    <blockquote

cite="mid:CA+952WrE_LQUCPrQ2gP9jtsLBQCjxpKru9=w7ryf2-RoNVHuOw@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div class="gmail_extra">but I've had a hard time contacting the

          security team in the past, so I am not sure what the right

          venue is. The wiki page above links to a security review

          request form that says "This process not currently in use,

          maintaining for historical purposes".<br>

          <br>

        </div>

        <div class="gmail_extra">Is there a description of the correct

          process for requesting security review somewhere? I've

          received a lot of mixed signals about this process in the

          past, so having the right answer would be great!</div>

      </div>

    </blockquote>

    <br>

    I hadn't noticed that. And you're right, it would be good if the

    wikipage was up-to-date (or redirected to somewhere up-to-date) and

    process here was clearer (more than "ask around to find the right

    person").<br>

    <br>

    Selena, AFAICT from phonebook you should be a good person to ask

    (please forward as necessary if I missed something) - can you help

    elucidate what would be the most current process here as far as

    gecko/desktop/mobile stuff (rather than web/ops) is concerned?<br>

    <br>

    Thanks,<br>

    Gijs<br>

  </body>

</html>