This FAQ includes questions not covered elsewhere in the Guide.
If you want to take a test ride, there are test installations at http://landfill.bugzilla.org/, ready to play with directly from your browser.
Bugzilla is covered by the Mozilla Public License. See details at http://www.mozilla.org/MPL/.
http://www.bugzilla.org/support/consulting.html is a list of companies and individuals who have asked us to list them as consultants for Bugzilla.
There are several experienced Bugzilla hackers on the mailing list/newsgroup who are willing to make themselves available for generous compensation. Try sending a message to the mailing list asking for a volunteer.
 
            There are dozens of major companies with public
            Bugzilla sites to track bugs in their products. We have a fairly
            complete list available on our website at
            http://bugzilla.org/installation-list/. If you
            have an installation of Bugzilla and would like to be added to the
            list, whether it's a public install or not, simply e-mail
            Gerv <gerv@mozilla.org>.
          
A core team, led by Dave Miller (justdave@bugzilla.org).
We can't find any head-to-head comparisons of Bugzilla against other defect-tracking software. If you know of one, please get in touch. In the experience of Matthew Barnson (the original author of this FAQ), though, Bugzilla offers superior performance on commodity hardware, better price (free!), more developer-friendly features (such as stored queries, email integration, and platform independence), improved scalability, greater flexibility, and superior ease-of-use when compared to commercial bug-tracking software.
            If you happen to be a vendor for commercial bug-tracking
            software, and would like to submit a list of advantages your
            product has over Bugzilla, simply send it to 
            <documentation@bugzilla.org> and we'd be happy to
            include the comparison in our documentation.
          
A.1.7. Why doesn't Bugzilla offer this or that feature or compatibility with this other tracking software?
It may be that the support has not been built yet, or that you have not yet found it. While Bugzilla makes strides in usability, customizability, scalability, and user interface with each release, that doesn't mean it can't still use improvement!
The best way to make an enhancement request is to file a bug at bugzilla.mozilla.org and set the Severity to 'enhancement'. Your 'request for enhancement' (RFE) will start out in the UNCONFIRMED state, and will stay there until someone with the ability to CONFIRM the bug reviews it. If that person feels it to be a good request that fits in with Bugzilla's overall direction, the status will be changed to NEW; if not, they will probably explain why and set the bug to RESOLVED/WONTFIX. If someone else has made the same (or almost the same) request before, your request will be marked RESOLVED/DUPLICATE, and a pointer to the previous RFE will be added.
Even if your RFE gets approved, that doesn't mean it's going to make it right into the next release; there are a limited number of developers, and a whole lot of RFEs... some of which are quite complex. If you're a code-hacking sort of person, you can help the project along by making a patch yourself that supports the functionality you require. If you have never contributed anything to Bugzilla before, please be sure to read the Developers' Guide and Contributors' Guide before going ahead.
MySQL is the default database for Bugzilla. It was originally chosen because it is free, easy to install, and was available for the hardware Netscape intended to run it on.
As of Bugzilla 2.22, complete support for PostgreSQL is included. With this release using PostgreSQL with Bugzilla should be as stable as using MySQL. If you experience any problems with PostgreSQL compatibility, they will be taken as seriously as if you were running MySQL.
There are plans to include an Oracle driver for Bugzilla 3.1.2. Track progress at Bug 189947.
Sybase support was worked on for a time. However, several complicating factors have prevented Sybase support from being realized. There are currently no plans to revive it.
Bug 237862 is a good bug to read through if you'd like to see what progress is being made on general database compatibility.
A.1.9. My perl is located at /usr/local/bin/perl and not /usr/bin/perl. Is there an easy to change that in all the files that have this hard-coded?
The easiest way to get around this is to create a link from one to the other: ln -s /usr/local/bin/perl /usr/bin/perl. If that's not an option for you, the following bit of perl magic will change all the shebang lines (that is to say, the line at the top of each file that starts with '#!' and contains the path) to something else:
| 
perl -pi -e 's@#\!/usr/bin/perl@#\!/usr/local/bin/perl@' *cgi *pl
           | 
Sadly, this command-line won't work on Windows unless you also have Cygwin. However, MySQL comes with a binary called replace which can do the job:
| 
C:\mysql\bin\replace "#!/usr/bin/perl" "#!C:\perl\bin\perl" -- *.cgi *.pl
           | 
|  | If your perl path is something else again, just follow the above examples and replace /usr/local/bin/perl with your own perl path. | 
Once you've modified all your files, you'll also need to modify the t/002goodperl.t test, as it tests that all shebang lines are equal to /usr/bin/perl. (For more information on the test suite, please check out the appropriate section in the Developers' Guide.) Having done this, run the test itself:
| 
            perl runtests.pl 2 --verbose
             | 
If using Apache on Windows, you can avoid the whole problem by setting the ScriptInterpreterSource directive to 'Registry'. (If using Apache 2 or higher, set it to 'Registry-Strict'.) ScriptInterperterSource requires a registry entry "HKEY_CLASSES_ROOT\.cgi\Shell\ExecCGI\Command" to associate .cgi files with your perl executable. If one does not already exist, create it with a default value of "<full path to perl> -T", e.g. "C:\Perl\bin\perl.exe -T".
As a web application, Bugzilla simply requires its root directory to have the httpd context applied for it to work properly under SELinux. This should happen automatically on distributions that use SELinux and that package Bugzilla (if it is installed with the native package management tools). Information on how to view and change SELinux file contexts can be found at the SELinux FAQ.
Yes. You have to turn on the 'allowbugdeletion' parameter, which is off by default. Note that you cannot delete bug reports one by one. You have to move them in a product or component, e.g. named "Trash", and then delete this product or component. The reason we make it hard is that you generally don't want to do that.
A.2.2. Is Bugzilla web-based, or do you have to have specific software or a specific operating system on your machine?
It is web and e-mail based.
A.2.3. Does Bugzilla allow us to define our own priorities and levels? Do we have complete freedom to change the labels of fields and format of them, and the choice of acceptable values?
Yes. However, modifying some fields, notably those related to bug progression states, also require adjusting the program logic to compensate for the change.
As of Bugzilla 3.0 custom fields can be created via the "Custom Fields" admin page.
A.2.4. Does Bugzilla provide any reporting features, metrics, graphs, etc? You know, the type of stuff that management likes to see. :)
Yes. Look at https://bugzilla.mozilla.org/report.cgi for samples of what Bugzilla can do in reporting and graphing. Fuller documentation is provided in Section 5.11.
If you can not get the reports you want from the included reporting scripts, it is possible to hook up a professional reporting package such as Crystal Reports using ODBC. If you choose to do this, beware that giving direct access to the database does contain some security implications. Even if you give read-only access to the bugs database it will bypass the secure bugs features of Bugzilla.
Email notification is user-configurable. By default, the bug id and summary of the bug report accompany each email notification, along with a list of the changes made.
Bugzilla email is sent in plain text, the most compatible mail format on the planet.
|  | If you decide to use the bugzilla_email integration features to allow Bugzilla to record responses to mail with the associated bug, you may need to caution your users to set their mailer to "respond to messages in the format in which they were sent". For security reasons Bugzilla ignores HTML tags in comments, and if a user sends HTML-based email into Bugzilla the resulting comment looks downright awful. | 
A.2.7. Does Bugzilla allow data to be imported and exported? If I had outsiders write up a bug report using a MS Word bug template, could that template be imported into "matching" fields? If I wanted to take the results of a query and export that data to MS Excel, could I do that?
Bugzilla can output buglists as HTML (the default), CSV or RDF. The link for CSV can be found at the bottom of the buglist in HTML format. This CSV format can easily be imported into MS Excel or other spreadsheet applications.
To use the RDF format of the buglist it is necessary to append a &ctype=rdf to the URL. RDF is meant to be machine readable and thus it is assumed that the URL would be generated programmatically so there is no user visible link to this format.
Currently the only script included with Bugzilla that can import data is importxml.pl which is intended to be used for importing the data generated by the XML ctype of show_bug.cgi in association with bug moving. Any other use is left as an exercise for the user.
There are also scripts included in the contrib/ directory for using e-mail to import information into Bugzilla, but these scripts are not currently supported and included for educational purposes.
A.2.8. Has anyone converted Bugzilla to another language to be used in other countries? Is it localizable?
Yes. For more information including available translated templates, see http://www.bugzilla.org/download.html#localizations. Some admin interfaces have been templatized (for easy localization) but many of them are still available in English only. Also, there may be issues with the charset not being declared. See bug 126226 for more information.
Yes. No. Yes (using the CSV format).
You should use the backup options supplied by your database platform. Vendor documentation for backing up a MySQL database can be found at http://www.mysql.com/doc/B/a/Backup.html. PostgreSQL backup documentation can be found at http://www.postgresql.org/docs/8.0/static/backup.html.
A.2.11. What type of human resources are needed to be on staff to install and maintain Bugzilla? Specifically, what type of skills does the person need to have? I need to find out what types of individuals would we need to hire and how much would that cost if we were to go with Bugzilla vs. buying an "out-of-the-box" solution.
If Bugzilla is set up correctly from the start, continuing maintenance needs are minimal and can be done easily using the web interface.
Commercial Bug-tracking software typically costs somewhere upwards of $20,000 or more for 5-10 floating licenses. Bugzilla consultation is available from skilled members of the newsgroup. Simple questions are answered there and then.
A.2.12. What time frame are we looking at if we decide to hire people to install and maintain the Bugzilla? Is this something that takes hours or days to install and a couple of hours per week to maintain and customize, or is this a multi-week install process, plus a full time job for 1 person, 2 people, etc?
It all depends on your level of commitment. Someone with much Bugzilla experience can get you up and running in less than a day, and your Bugzilla install can run untended for years. If your Bugzilla strategy is critical to your business workflow, hire somebody to who has reasonable Perl skills, and a familiarity with the operating system on which Bugzilla will be running, and have them handle your process management, bug-tracking maintenance, and local customization.
A.2.13. Is there any licensing fee or other fees for using Bugzilla? Any out-of-pocket cost other than the bodies needed as identified above?
No. Bugzilla, Perl, the Template Toolkit, and all other support software needed to make Bugzilla work can be downloaded for free. MySQL and PostgreSQL -- the databases supported by Bugzilla -- are also open-source. MySQL asks that if you find their product valuable, you purchase a support contract from them that suits your needs.
Yes! As of Bugzilla 2.18, it is a simple matter to change the word 'bug' into whatever word/phrase is used by your organization. See the documentation on Customization for more details, specifically Section 6.2.5.
A.3.1. Does Bugzilla provide record locking when there is simultaneous access to the same bug? Does the second person get a notice that the bug is in use or how are they notified?
Bugzilla does not lock records. It provides mid-air collision detection -- which means that it warns a user when a commit is about to conflict with commits recently made by another user, and offers the second user a choice of options to deal with the conflict.
Refer to your database platform documentation for details on how to do hot backups. Vendor documentation for backing up a MySQL database can be found at http://www.mysql.com/doc/B/a/Backup.html. PostgreSQL backup documentation can be found at http://www.postgresql.org/docs/8.0/static/backup.html.
Make a backup of both your Bugzilla directory and the database. For the Bugzilla directory this is as easy as doing cp -rp bugzilla bugzilla.bak. For the database, there's a number of options - see the MySQL docs and pick the one that fits you best (the easiest is to just make a physical copy of the database on the disk, but you have to have the database server shut down to do that without risking dataloss).
Make the Bugzilla directory your current directory.
Use cvs -q update -AdP if you want to update to the tip or cvs -q update -dP -rTAGNAME if you want a specific version (in that case you'll have to replace TAGNAME with a CVS tag name such as BUGZILLA-2_16_5).
If you've made no local changes, this should be very clean. If you have made local changes, then watch the cvs output for C results. If you get any lines that start with a C it means there were conflicts between your local changes and what's in CVS. You'll need to fix those manually before continuing.
After resolving any conflicts that the cvs update operation generated, running ./checksetup.pl will take care of updating the database for you as well as any other changes required for the new version to operate.
|  | Once you run checksetup.pl, the only way to go back is to restore the database backups. You can't "downgrade" the system cleanly under most circumstances. | 
See also the instructions in Section 3.16.3.1.
To use the UNCONFIRMED status, you must have the 'usevotes' parameter set to "On". You must then visit the editproducts.cgi page and set the " Number of votes a bug in this product needs to automatically get out of the UNCONFIRMED state" to be a non-zero number. (You will have to do this for each product that wants to use the UNCONFIRMED state.) If you do not actually want users to be able to vote for bugs entered against this product, leave the "Maximum votes per person" value at '0'.
There is work being done to decouple the UNCONFIRMED state from the 'usevotes' parameter for future versions of Bugzilla. Follow the discussion and progress at bug 162060.
Reference your database vendor's documentation for information on backing up and restoring your Bugzilla database on to a different server. Vendor documentation for backing up a MySQL database can be found at http://dev.mysql.com/doc/mysql/en/mysqldump.html. PostgreSQL backup documentation can be found at http://www.postgresql.org/docs/8.0/static/backup.html.
On your new machine, follow the instructions found in Chapter 2 as far as setting up the physical environment of the new machine with perl, webserver, modules, etc. Having done that, you can either: copy your entire Bugzilla directory from the old machine to a new one (if you want to keep your existing code and modifications), or download a newer version (if you are planning to upgrade at the same time). Even if you are upgrading to clean code, you will still want to bring over the localconfig file, and the data directory from the old machine, as they contain configuration information that you probably won't want to re-create.
|  | If the hostname or port number of your database server changed as part of the move, you'll need to update the appropriate variables in localconfig before taking the next step. | 
Once you have your code in place, and your database has been restored from the backup you made in step 1, run checksetup.pl. This will upgrade your database (if necessary), rebuild your templates, etc.
A.4.1. How do I completely disable MySQL security if it's giving me problems? (I've followed the instructions in the installation section of this guide...)
You can run MySQL like this: mysqld --skip-grant-tables. However, doing so disables all MySQL security. This is a bad idea. Please consult Section 4.2 of this guide and the MySQL documentation for better solutions.
The Bugzilla code has undergone a reasonably complete security audit, and user-facing CGIs run under Perl's taint mode. However, it is recommended that you closely examine permissions on your Bugzilla installation, and follow the recommended security guidelines found in The Bugzilla Guide.
A.5.1. I have a user who doesn't want to receive any more email from Bugzilla. How do I stop it entirely for this user?
The user can stop Bugzilla from sending any mail by unchecking all boxes on the 'Edit prefs' -> 'Email settings' page. (As of 2.18,this is made easier by the addition of a 'Disable All Mail' button.) Alternately, you can add their email address to the data/nomail file (one email address per line). This will override their personal preferences, and they will never be sent mail again.
A.5.2. I'm evaluating/testing Bugzilla, and don't want it to send email to anyone but me. How do I do it?
 
            To disable email, set the
            mail_delivery_method parameter to
            none (2.20 and later), or
            
| $enableSendMail | 
|  | Up to 2.16.x, changing 
 | 
To have bugmail (and only bugmail) redirected to you instead of its intended recipients, leave
| $enableSendMail | 
Replace "To:" with "X-Real-To:"
Replace "Cc:" with "X-Real-CC:"
Add a "To: %lt;your_email_address>"
A.5.3. I want whineatnews.pl to whine at something other than new and reopened bugs. How do I do it?
For older versions of Bugzilla, you may be able to apply Klaas Freitag's patch for "whineatassigned", which can be found in bug 6679. Note that this patch was made in 2000, so it may take some work to apply cleanly to any releases of Bugzilla newer than that, but you can use it as a starting point.
An updated (and much-expanded) version of this functionality is due to be released as part of Bugzilla 2.20; see bug 185090 for the discussion, and for more up-to-date patches if you just can't wait.
Bugzilla 3.0 and later offers the ability submit or change bugs via email, using the email_in.pl script within the root directory of the Bugzilla installation. More information on the script can be found in docs/html/api/email_in.html.
 
            If you are using sendmail, try
            enabling sendmailnow in
            editparams.cgi. For earlier versions of
            sendmail, one could achieve
            significant performance improvement in the UI (at the cost of
            delaying the sending of mail) by setting this parameter to
            off. Sites with
            sendmail version 8.12 (or higher)
            should leave this on, as they will not see
            any performance benefit.
          
If you are using an alternate MTA, make sure the options given in Bugzilla/BugMail.pm and any other place where sendmail is called are correct for your MTA.
Double-check that you have not turned off email in your user preferences. Confirm that Bugzilla is able to send email by visiting the "Log In" link of your Bugzilla installation and clicking the "Submit Request" button after entering your email address.
If you never receive mail from Bugzilla, chances are you do not have sendmail in "/usr/lib/sendmail". Ensure sendmail lives in, or is symlinked to, "/usr/lib/sendmail".
            If you are using an MTA other than
            sendmail the
            sendmailnow param must be set to
            on or no mail will be sent.
          
Run the "sanity check" utility (sanitycheck.cgi) from your web browser to see! If it finishes without errors, you're probably OK. If it doesn't come back OK (i.e. any red letters), there are certain things Bugzilla can recover from and certain things it can't. If it can't auto-recover, I hope you're familiar with mysqladmin commands or have installed another way to manage your database. Sanity Check, although it is a good basic check on your database integrity, by no means is a substitute for competent database administration and avoiding deletion of data. It is not exhaustive, and was created to do a basic check for the most common problems in Bugzilla databases.
There is no facility in Bugzilla itself to do this. It's also generally not a smart thing to do if you don't know exactly what you're doing. If you understand SQL, though, you can use the mysql or psql command line utilities to manually insert, delete and modify table information. There are also more intuitive GUI clients available for both MySQL and PostgreSQL. For MySQL, we recommend phpMyAdmin.
Remember, backups are your friend. Everyone makes mistakes, and it's nice to have a safety net in case you mess something up.
Try running MySQL from its binary: mysqld --skip-grant-tables. This will allow you to completely rule out grant tables as the cause of your frustration. If this Bugzilla is able to connect at this point then you need to check that you have granted proper permission to the user password combo defined in localconfig.
|  | Running MySQL with this command line option is very insecure and should only be done when not connected to the external network as a troubleshooting step. Please do not run your production database in this mode. | 
You may also be suffering from a client version mismatch:
MySQL 4.1 and up uses an authentication protocol based on a password hashing algorithm that is incompatible with that used by older clients. If you upgrade the server to 4.1, attempts to connect to it with an older client may fail with the following message:
| shell> mysql
            Client does not support authentication protocol requested
            by server; consider upgrading MySQL client
             | 
To solve this problem, you should use one of the following approaches:
Upgrade all client programs to use a 4.1.1 or newer client library.
When connecting to the server with a pre-4.1 client program, use an account that still has a pre-4.1-style password.
Reset the password to pre-4.1 style for each user that needs to use a pre-4.1 client program. This can be done using the SET PASSWORD statement and the OLD_PASSWORD() function:
| 
                    mysql> SET PASSWORD FOR
                        -> ' some_user '@' some_host ' = OLD_PASSWORD(' newpwd ');
                   | 
Well, you can synchronize or you can move bugs. Synchronization will only work one way -- you can create a read-only copy of the database at one site, and have it regularly updated at intervals from the main database.
MySQL has some synchronization features built-in to the latest releases. It would be great if someone looked into the possibilities there and provided a report to the newsgroup on how to effectively synchronize two Bugzilla installations.
If you simply need to transfer bugs from one Bugzilla to another, checkout the "move.pl" script in the Bugzilla distribution.
Making Bugzilla work easily with Windows was one of the major goals of the 2.18 milestone. If the necessary components are in place (perl, a webserver, an MTA, etc.) then installation of Bugzilla on a Windows box should be no more difficult than on any other platform. As with any installation, we recommend that you carefully and completely follow the installation instructions in Section 2.5.1.
While doing so, don't forget to check out the very excellent guide to Installing Bugzilla on Microsoft Windows written by Byron Jones. Thanks, Byron!
Not currently. Bundle::Bugzilla enormously simplifies Bugzilla installation on UNIX systems. If someone can volunteer to create a suitable PPM bundle for Win32, it would be appreciated.
Depending on what Web server you are using, you will have to configure the Web server to treat *.cgi files as CGI scripts. In IIS, you do this by adding *.cgi to the App Mappings with the <path>\perl.exe %s %s as the executable.
Microsoft has some advice on this matter, as well:
"Set application mappings. In the ISM, map the extension for the script file(s) to the executable for the script interpreter. For example, you might map the extension .py to Python.exe, the executable for the Python script interpreter. Note For the ActiveState Perl script interpreter, the extension '.pl' is associated with PerlIS.dll by default. If you want to change the association of .pl to perl.exe, you need to change the application mapping. In the mapping, you must add two percent (%) characters to the end of the pathname for perl.exe, as shown in this example: c:\perl\bin\perl.exe %s %s"
Your modules may be outdated or inaccurate. Try:
Download ActivePerl
Go to your prompt
Type 'ppm'
PPM> install DBI DBD-mysql GD
You can change your email address from the Name and Password section in Preferences. You will be emailed at both the old and new addresses for confirmation. 'Administrative Policies' must have the 'allowemailchange' parameter set to "On".
The interface was simplified by a UI designer for 2.16. Further suggestions for improvement are welcome, but we won't sacrifice power for simplicity.
As of 2.18, there is also a 'simpler' search available. At the top of the search page are two links; "Advanced Search" will take you to the familiar full-power/full-complexity search page. The "Find a Specific Bug" link will take you to a much-simplified page where you can pick a product and status (open,closed, or both), then enter words that appear in the bug you want to find. This search will scour the 'Summary' and 'Comment' fields, and return a list of bugs sorted so that the bugs with the most hits/matches are nearer to the top.
|  | Matches in the Summary will 'trump' matches in comments, and bugs with summary-matches will be placed higher in the buglist -- even if a lower-ranked bug has more matches in the comments section. | 
Bugzilla uses a cookie to remember which version of the page you visited last, and brings that page up when you next do a search. The default page for new users (or after an upgrade) is the 'simple' search.
A.8.3. I'm confused by the behavior of the "Accept" button in the Show Bug form. Why doesn't it assign the bug to me when I accept it?
The current behavior is acceptable to bugzilla.mozilla.org and most users. If you want to change this behavior, though, you have your choice of patches:
| Bug 35195 seeks to add an "...and accept the bug" checkbox to the UI. It has two patches attached to it: attachment 8029 was originally created for Bugzilla 2.12, while attachment 91372 is an updated version for Bugzilla 2.16 | 
| Bug 37613 also provides two patches (against Bugzilla 2.12): one to add a 'Take Bug' option, and the other to automatically reassign the bug on 'Accept'. | 
A.8.4. I can't upload anything into the database via the "Create Attachment" link. What am I doing wrong?
The most likely cause is a very old browser or a browser that is incompatible with file upload via POST. Download the latest version of your favourite browser to handle uploads correctly.
In the Bugzilla administrator UI, edit the keyword and it will let you replace the old keyword name with a new one. This will cause a problem with the keyword cache; run sanitycheck.cgi to fix it.
Simple answer; you can.
The logic behind the page checks every bug in the list to determine legal state changes, and then only shows you controls to do things that could apply to every bug on the list. The reason for this is that if you try to do something illegal to a bug, the whole process will grind to a halt, and all changes after the failed one will also fail. Since that isn't a good outcome, the page doesn't even present you with the option.
In practical terms, that means that in order to mark multiple bugs as CLOSED, then every bug on the page has to be either RESOLVED or VERIFIED already; if this is not the case, then the option to close the bugs will not appear on the page.
The rationale is that if you pick one of the bugs that's not VERIFIED and try to CLOSE it, the bug change will fail miserably (thus killing any changes in the list after it while doing the bulk change) so it doesn't even give you the choice.
Gerv and Myk suggest a 2-space indent, with embedded code sections on their own line, in line with outer tags. Like this:
| 
<fred>
[% IF foo %]
  <bar>
  [% FOREACH x = barney %]
    <tr>
      <td>
        [% x %]
      </td>
    <tr>
  [% END %]
[% END %]
</fred>
 | 
Myk also recommends you turn on PRE_CHOMP in the template initialization to prevent bloating of HTML with unnecessary whitespace.
Please note that many have differing opinions on this subject, and the existing templates in Bugzilla espouse both this and a 4-space style. Either is acceptable; the above is preferred.
Try this link to view current bugs or requests for enhancement for Bugzilla.
You can view bugs marked for 3.2 release here. This list includes bugs for the 3.2 release that have already been fixed and checked into CVS. Please consult the Bugzilla Project Page for details on how to check current sources out of CVS so you can have these bug fixes early!
A.9.3. How can I change the default priority to a null value? For instance, have the default priority be "---" instead of "P2"?
This is well-documented in bug 49862. Ultimately, it's as easy as adding the "---" priority field to your localconfig file in the appropriate area, re-running checksetup.pl, and then changing the default priority in your browser using editparams.cgi.
Enter a bug into bugzilla.mozilla.org for the "Bugzilla" product.
Upload your patch as a unified diff (having used "diff -u" against the current sources checked out of CVS), or new source file by clicking "Create a new attachment" link on the bug page you've just created, and include any descriptions of database changes you may make, into the bug ID you submitted in step #1. Be sure and click the "Patch" checkbox to indicate the text you are sending is a patch!
Announce your patch and the associated URL (https://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) for discussion in the newsgroup (mozilla.support.bugzilla). You'll get a really good, fairly immediate reaction to the implications of your patch, which will also give us an idea how well-received the change would be.
If it passes muster with minimal modification, the person to whom the bug is assigned in Bugzilla is responsible for seeing the patch is checked into CVS.
Bask in the glory of the fact that you helped write the most successful open-source bug-tracking software on the planet :)