Mozilla Backs Away From ’10 Day’ Patch Boast
Mozilla is trying to quell the buzz that has lit up the blogosphere about a boast made at Black Hat that the company could patch bugs in as little as 10 days.
Mozilla is dancing as fast as it can to back away from what executives say was a muddled message that set the blogosphere abuzz with talk of the company promising to patch security vulnerabilities as quickly as 10 days.
Window Snyder, who has the title of "chief security something-or-other" at Mozilla, posted a blog item on Monday trying to calm the building hubbub and reset expectations. She was quick to note that it's not Mozilla's policy to set such tight parameters for itself or to set up such an in-house challenge.
- The Untapped Potential of Mobile Apps for Commercial Customers
- Secure Cloud: Taking Advantage of the Intelligent WAN
- IBM index reveals key indicators of business continuity exposure and maturity
- Embedding Agility in Next Generation System Designs (VDC)
- Strategy: Mapping IAM Processes to the Business
- Strategy: How to Conduct an Effective IT Security Risk Assessment
"This is not our policy," she wrote. "We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure."
The issue sprang to life at last week's Black Hat security conference in Las Vegas where Mozilla's Mike Shaver, director of ecosystem development, passed a business card to security researcher Robert Hansen, also known as RSnake. Shaver had written "ten f---ing days" on the card and word quickly spread around the Internet that Mozilla was drawing a line in the vulnerability patching sand.
"Mike Shaver threw down the gauntlet," wrote Hansen on his blog. "He gave me his business card with a handwritten note on it, laying his claim on the line. The claim being -- with responsible disclosure, Mozilla can patch and deploy any critical severity holes within 'Ten F--ing Days.' I told him I would post his card -- and he didn't flinch. No, he wasn't drunk. He's serious. I've always been a fan of Mozilla and Firefox, however this is a pretty bold claim for a company of any shape or size."
From there, word of Mozilla's so-called claim spread like wildfire.
Now, Snyder and Shaver are trying to throw some water on those flames, saying it was a miscommunication. Shaver, they said, was simply is looking for security researchers to hold off on posting full vulnerability details and boasting of his confidence in the Mozilla team to turn around quick fixes if they need to.
"When I asked [Shaver] about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only 10 days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available," wrote Snyder. "His statement has taken on a life of its own."
It seems Shaver would agree.
"That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities," Shaver noted in his own blog. "People are reading the conversation and Robert's post that way, but that's not our situation, and it certainly wasn't my intent to give that impression. I apologize, and hope that nobody will think less of Mozilla because of my error. We don't issue challenges, and nobody here thinks that security response is a game."