A general and boring explanation on how access restrictions are handled/configured in Bugzilla currently. No opinions involved.
On Wed, 2014-06-25 at 21:18 -0700, Chris Steipp wrote:
There are a few cases where there may be legitimate private data in a security bug ("look, sql injection, and here are some rows from the user table!", "Hey, this was supposed to be suppressed, and I can see it", "This user circumvented the block on this IP"). But there might be ways to flag or categorize a report as also including private data? Someone with more bugzilla experience would need to comment.
I'm not aware of any "standardized" way to do this. Current practice is described in item 2 below.
In general, Bugzilla offers two things:
1) Access restriction to all tickets in a certain product by default (like all tickets under "Security"). Only Bugzilla admins, members of the security group, the bug reporter, and people explicitly CC'ed on such a ticket can access such a ticket in such a product.
2) Separate from that, marking both attachments and specific comments in a ticket as "private". It's configured that it can be set and seen by Bugzilla admins and members of the security group. There is a practice (tradition?) to set the 'private' flag if somebody finds or notifies about private data exposed (IPs, passwords, SSIDs), insults / personal attacks, or spam. We don't have an explicit policy defined for setting that flag.
A while ago I was told that people who by default have access to Security tickets in Bugzlla need to have an NDA [1] in place.
andre
[1] https://en.wikipedia.org/wiki/Non-disclosure_agreement