Known vulnerabilities

This article lists several resources that could be used to find information about any known security vulnerabilities in Thunderbird. Some of them may also apply to other Mozilla applications.

Mozilla has a web page for known vulnerabilites in Mozilla applications and another for security advisories. The Security center has alerts and announcements on security and privacy, and general tips. The Security project web page has links to many resources such as the "Security Review and Best Practices Guide" and a list of future security projects (which identifies some areas of concern).

The Rumbling edge charts weekly developments in Thunderbird builds. It can be a quicker way to monitor security bug activity than searching Bugzilla, especially if a new release is due within a couple of weeks.

The Mozillazine front page and Mozilla Developer Center devnews typically have announcements of security and stability updates.

The test case wish list at MozillaQualityAssurance indicates what functionality isn't tested by the QA team. Those areas (especially if they're new functionality) may have a disproportionate share of security bugs. For example, there are no encryption and digital signing test cases (when this article was written).

Secunia is a frequent source of Thunderbird security advisories. Keep in mind when reading them that many security problems can be avoided by common sense, and that some Thunderbird security problems are really Firefox problems. For example the Vulnerability Report: Mozilla Thunderbird 2.x currently has only one security advisory, Mozilla Thunderbird Memory Corruption Vulnerability. However, the more information link points to Mozilla Firefox Multiple Vulnerabilities which basically describes some Javascript and XUL vulnerabilites in Firefox.

You can also search the release notes.