Posted by: David Schneier
Application Security, Security Vendor News
The folks over at Mozilla are scrambling to do a little damage control after a security researcher challenged the group to live up to a supposed claim that it could fix any responsibly disclosed flaw in 10 days. Mozilla security chief Window Snyder says that is not the group’s stance, and never has been. “This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure,” Snyder wrote in a blog post about the controversy today.
The mess began last week at Black Hat when Mike Shaver, one of the founders of the Mozilla project and currently the director of ecosystem development, handed Robert Hansen, aka Rsnake, a business card with the words “Ten [expletive deleted] Days” on it, after reportedly telling Hansen Mozilla could fix any flaw in that amount of time. Hansen posted a photo of the card on his blog and wrote an account of the conversation, which can be summed up thusly: “I’m not going to comment on my personal feelings on this matter except to say that I’d love to see Mozilla back up their promise.”
Shaver also has posted a blog entry about the ten-day claim, saying he overreacted to the situation. “That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression. I apologize, and hope that nobody will think less of Mozilla because of my error. We don’t issue challenges, and nobody here thinks that security response is a game. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own, and I hope the fracas about my overzealous comments to Robert don’t overshadow the great work that people on the Mozilla project do to keep our users secure.”
To review: Security is not a game. And Mozilla is not guaranteeing anything on patch turnaround times.