Frank Hecker on the Mozilla Security Bugs Policy

Thursday May 9th, 2002

Frank Hecker writes: "I've just posted to netscape.public.mozilla.announce a mozilla.org statement re the recently-reported (and fixed) Mozilla security vulnerability relating to XMLHttpRequest.

"I'll add my personal opinion that we (mozilla.org staff) have not been active enough in publicizing the current mozilla.org policy on security bugs and the security@mozilla.org reporting mechanism. I'll take personal responsibility for that failure; among other things, I neglected to do enough follow-up announcements after we created the security policy originally.

"I've tried to highlight the security bug policy information in the public statement referenced above, and I'll also try to make sure that the security@mozilla.org address and related information get highlighted in appropriate pages on the mozilla.org web site."

#1 Personal Responsibility

by whiprush

Thursday May 9th, 2002 9:09 PM

I'd just like to point out how cool it is for Frank to post this statement. It's this kind of pride in Mozilla that will make Mozilla the standard bearer for other crossplatform Open Source Projects.

In a world where companies would rather blame the reporters of bugs, or ignore them completely (glares at Microsoft) - it's good to see someone have the cohones to fix things.

#2 Open Source application security

by gashu

Friday May 10th, 2002 4:00 AM

I expect Sardonix Security Portal to be something reliable for mozilla.org in the future. If this coordination is possible, Moz will have more advantages than any other commercial web browsers, I think.

Sardonix Security Portal http://sardonix.org/index.html Moz is first priority...maybe...? http://sardonix.org/Browse_Programs.html

#3 The problem is Netscape

by johann_p

Friday May 10th, 2002 5:02 AM

The mozilla team has a wonderful security policy, but what would count is *Netscapes* policy for the end-user product they make out of mozilla. Where these security things are really relevant is end users and mozilla is not for end users, right? So what is the use of Mozilla's wonderful policy when Netscape just ignores this? What end users need is a competent and quick reaction from Netscape, not mozilla. So why do I post this here? Because I think that Nestcapes way of handling security issues the MS way will backfire to Mozilla. Netscape has already done immense harm by releasing the early NS6 releases the way the did - I have talked to countless web developers and administrators who have turned their back to NS6 because of this. Now Netscape will make more people get pissed and switch to another browser because of the way the handle security (and other user support and distribution issues, as I have pointed out elsewhere). Its sad, because mozilla really would deserve better. (Remember the old times: <http://home.snafu.de/tilman/mozilla/mozilla-ie-card.jpg> ? The sign says: "Netscape 72, Microsoft 18").

#4 Let's give credit where credit is due

by frankhecker

Friday May 10th, 2002 7:58 AM

Let me clarify something: I personally had absolutely nothing to do with fixing the XMLHttpRequest security vulnerability (or any other Mozilla bug, for that matter). You should direct any praise to the Mozilla developers themselves, including in particular the various Netscape employees who participated in fixing the bug.