Glancing at the dates under https://www.mozilla.org/security/advisories/
Without wishing to over-simplify: is it reasonable to assume that advisories are simply published when appropriate?
Or is there, internally within Mozilla, a notional frequency, e.g. monthly publication, with (understandable) variations from that frequency when appropriate?
Just curious. And I’m probably not explaining myself well … sorry!
I thought you articulated your question extremely well, @grahamperrin; however, I wouldn’t take it personally—and certainly wouldn’t be surprised—if a thorough, authoritative answer never shows up.
That’s simply due to the impetus we all know that’s placed upon security due to the vital role it plays in both browser development and continuity. In terms of overall interest and the ensuing traffic the reports receive, I don’t feel I’m speaking out of turn by assuming the metrics must be quite low. The MFSAs are most likely posted with only a niche audience in mind and for transparency/documentation purposes.
The question still has merit, no doubt about that; check out (and maybe even get involved with) Bugzilla if you haven’t already. That is, if this subject matter is something you’re interested in beyond mere curiosity.
Kudos for taking the initiative and asking, though!
Best of luck.
I think advisories are usually published at the time a software update is released that contains the corresponding fix.
Thank you both. Towards a possible answer …
Moving Firefox to a faster 4-week release cycle - Mozilla Hacks - the Web developer blog (2019-09-17) foresaw a four-week release cycle without reference to security.
From more recent https://wiki.mozilla.org/index.php?title=Release_Management%2FRelease_Process&type=revision&diff=1220875&oldid=1202966:
… Firefox is released at intervals of four to five weeks (not counting urgent patch updates), meaning that every four to five weeks there will be a new version of Firefox Release. …
– and not all urgent patches involve security. For example, https://www.mozilla.org/firefox/73.0.1/releasenotes/ (2020-02-18) did not coincide with any advisory.
As far as I know it’s always at the same time.
MFSA + release notes + (where appropriate) publication of advisory-related bugs that were previously confidential.