Adding issue and merge request templates

**NOTE** This is an issue template to standardise our process for responding to and fixing critical security and privacy vulnerabilities, exploits, etc.

## Information

### Related Issue

- tor-browser#AAAAA

- mullvad-browser#BBBBB

- tor-browser-build#CCCCC

#### Affected Platforms

- [ ] Android

- [ ] Desktop

  - [ ] Windows

  - [ ] macOS

  - [ ] Linux

### Type of Issue: What are we dealing with?

- [ ] Security (sandbox escape, remote code execution, etc)

- [ ] Proxy Bypass (traffic contents becoming MITM'able)

- [ ] De-Anonymization (otherwise identifying which website a user is visiting)

- [ ] Cross-Site Linkability (correlating sessions across circuits and websites)

- [ ] Disk Leak (persisting session information to disk)

- [ ] Other (please explain)

### Involvement: Who needs to be consulted and or involved to fix this?

- [ ] Applications Developers

  - [ ] **boklm** : build, packaging, signing, release

  - [ ] **clairehurst** : Android, macOS

  - [ ] **dan** : Android, macOS

  - [ ] **henry** : accessibility, frontend, localisation

  - [ ] **ma1** : firefox internals

  - [ ] **pierov** : updater, fonts, localisation, general

  - [ ] **richard** : signing, release

  - [ ] **thorin** : fingerprinting

- [ ] Other Engineering Teams

  - [ ] Networking (**ahf**, **dgoulet**)

  - [ ] Anti-Censorship (**meskio**, **cohosh**)

  - [ ] UX (**donuts**)

  - [ ] TPA (**anarcat**, **lavamind**)

- [ ] External Tor Partners

  - [ ] Mozilla

  - [ ] Mullvad

  - [ ] Brave

  - [ ] Guardian Project (Orbot, Onion Browser)

  - [ ] Tails

  - [ ] Other (please list)

### Urgency: When do we need to act?

- [ ] **ASAP** :rotating_light: Emergency release :rotating_light:

- [ ] Next scheduled stable

- [ ] Next scheduled alpha, then backport to stable

- [ ] Next major release

- [ ] Other (please explain)

#### Justification

<!-- Provide some paragraph here justifying the logic behind our estimated urgency -->

### Side-Effects: Who will be affected by a fix for this?

Sometimes fixes have side-effects: users lose their data, roadmaps need to be adjusted, services have to be upgraded, etc. Please enumerate the known downstream consequences a fix to this issue will likely incur.

- [ ] End-Users (please list)

- [ ] Internal Partners (please list)

- [ ] External Partners (please list)

## Todo:

### Communications

- [ ] Start an initial email thread with the following people:

  - [ ] **bella**

  - [ ] Relevant Applications Developers

  - [ ] **(Optional)** **micah**

    - if there are considerations or asks outside the Applications Team

  - [ ] **(Optional)** Other Team Leads

    - if there are considerations or asks outside the Applications Team

  - [ ] **(Optional)** **gazebook**

    - if there are consequences to the organisation or partners beyond a browser update, then a communication plan may be needed

/cc @bella

/cc @ma1

/cc @micah

/cc @richard

/confidential

Godspeed! :pray:

Manual QA test check-list for major android releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist!

<details>

    <summary>Tor Browser Android QA Checklist</summary>

```markdown

# System Information

- Version: Tor Browser XXX

- OS: Android YYY

- Device + CPU Architecture: ZZZ

# Features

## Base functionality

- [ ] Tor Browser launches successfully

- [ ] Connects to the Tor network

- [ ] Localisation (Browser chrome)

  - [ ] Check especially the recently added strings

- [ ] Toolbars and menus work

- [ ] Fingerprinting resistance: https://arkenfox.github.io/TZP/tzp.html

- [ ] Security level (Standard, Safer, Safest)

    - **TODO**: test pages verifying correct behaviour

## Proxy safety

- [ ] Tor exit test: https://check.torproject.org

- [ ] Circuit isolation

    - Following websites should all report different IP addresses

    - https://ifconfig.io

    - https://myip.wtf

    - https://wtfismyip.com

- [ ] DNS leaks: https://dnsleaktest.com

## Connectivity + Anti-Censorship

- [ ] Bridges:

    - Bootstrap

    - Browse: https://check.torproject.org

    - [ ] Default bridges:

        - [ ] obfs4

        - [ ] meek

        - [ ] snowflake

    - [ ] User provided bridges:

        - [ ] obfs4 from https://bridges.torproject.org

        - [ ] webtunnel from https://bridges.torproject.org

        - [ ] conjure from [gitlab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/blob/main/client/torrc?ref_type=heads#L6)

## Web Browsing

- [ ] HTTPS-Only: http://http.badssl.com

- [ ] .onion:

    - [ ] torproject.org onion: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/

    - [ ] Onion service errors

        - [ ] invalid onion: http://invalid.onion

        - [ ] onion offline: http://wfdn32ds656ycma5gvrh7duvdvxbg2ygzr3no3ijsya25qm6nnko4iqd.onion/

        - [ ] onion baddssl: https://gitlab.torproject.org/tpo/applications/team/-/wikis/Development-Information/BadSSL-But-Onion

        - **TODO** all the identity block states

        - **TODO** client auth

- [ ] **TODO**: .securedrop.tor.onion

- [ ] **TODO**: onion-service alt-svc

- [ ] HTML5 Video: https://tekeye.uk/html/html5-video-test-page

    - [ ] MPEG4

    - [ ] WebM

    - [ ] Ogg

- [ ] WebSocket Test: https://websocketking.com/

## External Components

- [ ] NoScript

  - [ ] Latest Version: https://addons.mozilla.org/en-US/firefox/addon/noscript/

  - [ ] Not removable from about:addons

  - [ ] Tests: https://test-data.tbb.torproject.org/test-data/noscript/

    - **TODO**: fix test pages

```

</details>

Manual QA test check-list for major desktop releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist!

<details>

    <summary>Tor Browser Desktop QA Checklist</summary>

```markdown

# System Information

- Version: Tor Browser XXX

- OS: Windows|macOS|Linux YYY

- CPU Architecture:

- Profile: New|Old

# Features

## Base functionality

- [ ] Tor Browser launches successfully

- [ ] Connects to the Tor network

    - [ ] Homepage loads:

        - [ ] about:tor

        - [ ] about:blank

        - [ ] custom

- [ ] Tor Browser loads URLs passed by command-line after bootstrapped

- [ ] Localisation (Browser chrome)

  - [ ] Language notification/message bar

  - [ ] Spoof English

  - [ ] Check especially the recently added strings

- [ ] UI Customisations:

    - [ ] New Identity

        - [ ] Toolbar icon

        - [ ] Hamburger menu

        - [ ] File menu

    - [ ] New circuit for this site

        - [ ] Circuit display

        - [ ] Hamburger menu

        - [ ] File menu

    - [ ] No Firefox extras (Sync, Pocket, Report broken site, Tracking protection, etc)

    - [ ] No unified extensions button (puzzle piece)

    - [ ] NoScript button hidden

    - [ ] Context Menu Populated

- [ ] Fingerprinting resistance: https://arkenfox.github.io/TZP/tzp.html

- [ ] Security level (Standard, Safer, Safest)

    - Displays in:

        - toolbar icon

        - toolbar panel

        - about:preferences#privacy

    - [ ] On switch, each UI element is updated

    - [ ] On custom config (toggle `svg.disabled`)

        - [ ] each UI element displays warning

        - [ ] `Restore defaults` reverts custom prefs

    - **TODO**: test pages verifying correct behaviour

- [ ] New identity

- [ ] Betterboxing

    - [ ] Reuse last window size

    - [ ] Content alignment

    - [ ] No letterboxing:

        - [ ]empty tabs or privileged pages (eg: about:blank, about:about)

        - [ ] full-screen video

        - [ ] pdf viewer

        - [ ] reader-mode

- [ ] Downloads Warning

    - [ ] Downloads toolbar panel

    - [ ] about:downloads

    - [ ] Library window (<kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>o</kbd>)

- [ ] Drag and Drop protections:

    - [ ] Dragging a link from a tab to another tab in the same window works

    - [ ] Dragging a link from a tab to another tab in a separate window works

    - [ ] Dragging a link into the library creates a bookmark

    - [ ] Dragging a link from Tor Browser to Firefox doesn't work

    - [ ] Dragging a link from Firefox to Tor Browser works

    - [ ] Dragging a link from Tor Browser to another app (e.g., text editor) doesn't work

    - [ ] Repeat with page favicon

## Proxy safety

- [ ] Tor exit test: https://check.torproject.org

- [ ] Circuit isolation

    - Following websites should all report different IP addresses

    - https://ifconfig.io

    - https://myip.wtf

    - https://wtfismyip.com

- [ ] DNS leaks: https://dnsleaktest.com

- [ ] Circuit Display

    - [ ] Website => circuit

    - [ ] Remote PDF => circuit

    - [ ] Remote image => circuit

    - [ ] .onion Website => circuit with onion-service relays

    - [ ] .tor.onion Website => circuit with onion-service relays, link to true onion address

        - http://ft.securedrop.tor.onion

    - [ ] Website in reader mode => circuit (same as w/o reader mode)

    - [ ] Local image => no circuit

    - [ ] Local SVG with remote content => catch-all circuit, but not shown

    - [ ] Local PDF => no circuit

    - [ ] Local HTML `file://` with local resources  => no circuit

    - [ ] Local HTML `file://` with remote resources => catch-all circuit, but not shown

## Connectivity + Anti-Censorship

- [ ] Tor daemon config by environment variables

    - https://gitlab.torproject.org/tpo/applications/team/-/wikis/Environment-variables-and-related-preferences

- [ ] Internet Test ( about:preferences#connection )

  - [ ] Fails when offline

  - [ ] Succeeds when online

- [ ] Bridges:

    - Bootstrap

    - Browse: https://check.torproject.org

    - Bridge node in circuit-display

    - Bridge cards

    - Disable

    - Remove

    - [ ] Default bridges:

        - [ ] Removable as a group, not editable

        - [ ] obfs4

        - [ ] meek

        - [ ] snowflake

    - [ ] User provided bridges:

        - [ ] Removable and editable individually

        - [ ] obfs4 from https://bridges.torproject.org

        - [ ] webtunnel from https://bridges.torproject.org

        - [ ] conjure from [gitlab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/blob/main/client/torrc?ref_type=heads#L6)

    - [ ] Request bridges...

        - [ ] Removable as a group, but not editable

        - [ ] Succeeds when bootstrapped

        - [ ] Succeeds when not bootstrapped

    - **TODO**: Lox

- [ ] Connect Assist

    - Useful pref: `torbrowser.debug.censorship_level`

    - [ ] Auto-bootstrap updates Tor connection settings on success

    - [ ] Auto-bootstrap restore previous Tor connection settings on failure

## Web Browsing

- [ ] HTTPS-Only: http://http.badssl.com

- [ ] Crypto-currency warning on http website

    - **TODO**: we should provide an example page

- [ ] .onion:

    - [ ] torproject.org onion: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/

    - [ ] Onion-Location pill

    - [ ] Client authentication

        - You can create an ephemeral client-auth onion-service using [onion share](https://onionshare.org)

    - [ ] Onion service errors

        - [ ] invalid onion: http://invalid.onion

        - [ ] onion offline: http://wfdn32ds656ycma5gvrh7duvdvxbg2ygzr3no3ijsya25qm6nnko4iqd.onion/

        - [ ] onion baddssl: https://gitlab.torproject.org/tpo/applications/team/-/wikis/Development-Information/BadSSL-But-Onion

        - **TODO** all the identity block states

        - **TODO** client auth

- [ ] **TODO**: .securedrop.tor.onion

- [ ] **TODO**: onion-service alt-svc

- [ ] HTML5 Video: https://tekeye.uk/html/html5-video-test-page

    - [ ] MPEG4

    - [ ] WebM

    - [ ] Ogg

- [ ] WebSocket Test: https://websocketking.com/

## External Components

- [ ] NoScript

  - [ ] Latest Version: https://addons.mozilla.org/en-US/firefox/addon/noscript/

  - [ ] Not removable from about:addons

  - [ ] Tests: https://test-data.tbb.torproject.org/test-data/noscript/

    - **TODO**: fix test pages

```

</details>

<!--

* Use this issue template for reporting a new bug.

-->

### Summary

**Summarize the bug encountered concisely.**

### Steps to reproduce:

**How one can reproduce the issue - this is very important.**

1. Step 1

2. Step 2

3. ...

### What is the current bug behavior?

**What actually happens.**

### What is the expected behavior?

**What you want to see instead**

### Environment

**Which operating system are you using? For example: Debian GNU/Linux 10.1, Windows 10, Ubuntu Xenial, FreeBSD 12.2, etc.**

**Which installation method did you use? Distribution package (apt, pkg, homebrew), from source tarball, from Git, etc.**

### Relevant logs and/or screenshots

/label ~bug

## Merge Info

<!-- Bookkeeping information for release management -->

### Related Issues

- tor-browser#xxxxx

- mullvad-browser#xxxxx

- tor-browser-build#xxxxx

### Backporting

#### Timeline

- [ ] **Immediate**: patchset needed as soon as possible

- [ ] **Next Minor Stable Release**: patchset that needs to be verified in nightly before backport

- [ ] **Eventually**: patchset that needs to be verified in alpha before backport

- [ ] **No Backport (preferred)**: patchset for the next major stable

#### (Optional) Justification

- [ ] **Emergency security update**: patchset fixes CVEs, 0-days, etc

- [ ] **Censorship event**: patchset enables censorship circumvention

- [ ] **Critical bug-fix**: patchset fixes a bug in core-functionality

- [ ] **Consistency**: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc

- [ ] **Sponsor required**: patchset required for sponsor

- [ ] **Localization**: typos and other localization changes that should be also in the release branch

- [ ] **Other**: please explain

### Merging

- [ ] Merge to `tor-browser` - `!fixups` to `tor-browser`-specific commits, new features, security backports

- [ ] Merge to `base-browser` - `!fixups` to `base-browser`-specific commits, new features to be shared with `mullvad-browser`, and security backports

  - **NOTE**: if your changeset includes patches to both `base-browser` and `tor-browser` please clearly label in the change description which commits should be cherry-picked to `base-browser` after merging

### Issue Tracking

- [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation

### Review

#### Request Reviewer

- [ ] Request review from an applications developer depending on modified system:

  - **NOTE**: if the MR modifies multiple areas, please `/cc` all the relevant reviewers (since gitlab only allows 1 reviewer)

  - **accessibility** : henry

  - **android** : clairehurst, dan

  - **build system** : boklm

  - **extensions** : ma1

  - **firefox internals (XUL/JS/XPCOM)** : jwilde, ma1

  - **fonts** : pierov

  - **frontend (implementation)** : henry

  - **frontend (review)** : donuts, richard

  - **localization** : henry, pierov

  - **macOS** : clairehurst, dan

  - **nightly builds** : boklm

  - **rebases/release-prep** : dan, ma1, pierov, richard

  - **security** : jwilde, ma1

  - **signing** : boklm, richard

  - **updater** : pierov

  - **windows** : jwilde, richard

  - **misc/other** : pierov, richard

#### Change Description

<!-- Whatever context the reviewer needs to effectively review the patchset; if the patch includes UX updates be sure to include screenshots/video of how any new behaviour -->

#### How Tested

<!-- Description of steps taken to verify the change -->