Mozilla's Linux Firefox builds still don't even have executable ASLR (PIE), stack canaries, _FORTIFY_SOURCE or RELRO let alone a sandbox.

Bonus points for zapping 8 bits of mmap base rand entropy and finding unique ways to be incompatible with Control Flow Integrity and PaX.

Also, it doesn't seem to build with VTV properly (unless you already listed that one as CFI).

Yeah, that's an incomplete form of CFI but is CFI nonetheless. LLVM has a full forward-edge implementation, but no return protection.

The PaX Reuse Attack Protection GCC plugin is quite cool: grsecurity.net/rap_faq.php. Only production-quality one protecting retaddr.

PaX Team actually got RAP working with Chromium, but Firefox was a dead end due to complex, terrible ways of violating the standard.

RAP on Chrome is good progress! Interesting part is how long it takes till RAP et al. can be applied on a large scale.