Robert Hansen, a security researcher, received a business card from Firefox’s Mike Schaver at a late-night party last week during the Black Hat conference. The card Hansen received, which is pictured to the right, used some colorful words to say that it takes just 10-days for Mozilla to patch critical security bugs that have been disclosed. Here is a snippet from Hansen’s blog post:
He gave me his business card with a hand written note on it, laying his claim on the line. The claim being – with responsible disclosure Mozilla can patch and deploy any critical severity holes within “Ten [F**king] Days”:
I told him I would post his card – and he didn’t flinch. No, he wasn’t drunk. He’s serious. I’ve always been a fan of Mozilla and Firefox however this is a pretty bold claim for a company of any shape or size. I shopped the business card around to some various people while I was at the Microsoft party the next day to get people’s reaction. The consensus was that it was funny, very difficult to achieve and in one case, one of the head guys of security at Amazon simply doubted that the patches would be of sufficient quality.
Apparently this was all taken the wrong way. Window Snyder, Mozilla’s security chief, responded to the 10-day claim:
This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure.
Schaver was simply saying that their latest security patch only took them 10-days to make publicly available after the vulnerability was disclosed. Schaver was therefore trying to tell Hansen that he didn’t need to publish the details about vulnerabilities before Mozilla has had a chance to fix them. For some software vendors posting the details about a vulnerability gives them some motivation to create a patch as quick as possible before it becomes widespread, but Mozilla says that they fix security flaws whether or not the details are published.