Even though it seems like Mozilla cranks out its patches in record time, the truth is it usually takes longer than ten days to test and evaluate patches for products like Mozilla.
Mozilla Clarifies Ten Day Claim
At the Black Hat conference in Las Vegas, Mozilla's Mike Shaver offered Robert 'RSnake' Hansen of SecTheory a one-time ten-day turnaround on fixing an extremely dangerous flaw should he discover one.
The offer quickly became overblown as news of it circulated around Black Hat. Suddenly, Mozilla had a "ten f---ing day" turnaround policy on fixing bugs.
Shaver clarified the point on his blog to quell the rumors:
I was intending to express my confidence in our ability to turn around a fix quickly if we needed to, by giving him a sort of "admit one" ticket for a disclosure that he thought needed an especially fast response due to extreme risk or some such. That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities.
Shave apologized for the misunderstanding, as chief security officer Window Snyder also took time to restate Mozilla's security policy:
This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe.
Snyder also announced their JavaScript Fuzzer security tool at Black Hat. It is the first of what should be several such tools released by Mozilla.
It's already paid off for developers of the Opera browser. Their testing of the fuzzer found some issues in a development build that they were able to correct.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
iEntry 10th Anniversary
RSS
Archive
