11

At least for now, Orion is dependent upon key software such as the WebKit browser engine. On desktop, Orion currently distributes the version of WebKit it uses with the browser download/update itself. This necessarily means that there could be a delay between a critical security vulnerability getting fixed in WebKit by Apple and a new release of Orion that addresses it.

My proposal is that Orion publishes a Service Level Agreement (SLA) in the FAQ that states the maximum amount of time that should pass between a critical security fix getting released and Orion issuing a new version that includes it.

Example:

Q: "How promptly does Orion address security updates for critical vulnerabilities?"
A: "Although we hope to respond even more quickly, critical vulnerabilities in Orion and its components (e.g., the WebKit browser engine) are actively monitored and resulting upstream updates should be published for Orion users within 24 hours of the update's release."

The time window can be expressed more conservatively or aggressively to suit resources and prioritization, and evolve to have a tighter window or include specific details (e.g., "patches that address vulnerabilities with a CVSS score of 7.0 or higher") if or when it makes sense.

Privacy concerns and security concerns go hand in hand, and Orion takes very strong positions on privacy. On security, it could provide key assurance for potentially paying customers of a niche browser to know what the longest-possible window of exposure might be for a known-addressed vulnerability. Web browsers are one of the largest attack surfaces in personal computing, and issues with them can risk up to anything that could be risked by the computer itself: finances, identity, etc.

    Example from another downstream, privacy-focused browser: https://librewolf.net/docs/faq/#how-often-do-you-update-librewolf

    Q: How often do you update LibreWolf?
    A: LibreWolf is always based on the latest version of Firefox. Updates usually come within three days from each upstream stable release, at times even the same day. Unless problems arise, we always try to release often and in a timely manner.

    Thanks for posting the proposal.

    This is a good suggestion. It is especially important to users who are more aware about their online presence, and helps build confidence in the product.

    While it is understandable the team might be hesistant to commit to an SLA at its current size, I would atleast hope and expect the team is subscribed to the WebKit security advisory page so they are aware when any vulnerabilities and fixes are published by WebKit, as this directly impacts their own product.

    https://webkitgtk.org/security.html

    No one is typing