Jon Lasser on the Mozilla Security Bugs Policy
Thursday October 10th, 2002
Ismail Donmez writes: "Jon Lasser on SecurityFocus has an interesting article about mozilla.org's security policy." The column discusses the accusations that mozilla.org is covering up security holes and questions whether every bug actually needs wide publicity. As always, mozilla.org's security bugs policy is available online.
The way I see it, if the bug is only known to the people inside Mozilla who are working on it (and maybe the outside people that reported it), then the specifics of exploiting the bug should be kept under wraps for a time. This way people can work on fixing the bug and get a patch in before it even becomes a really problem.
However, if the security bug 1) goes unfixed for over a month, or 2) becomes common knowledge (such as being posted in detail on another website or newsgroup), it should be disclosed fully to expedite the bug getting fixed by appealing to the public for suggestions/code/etc.
Recently, a security bug (September 16, 2002) was found in Mozilla, and it was fixed two days later. Would that kind of thing happen with a bug in Internet Explorer, Outlook Express, Windows Media Player, or anything else Microsoft puts out? I seriously doubt it. The only time we here Microsoft talk about fixing bugs is when some puke hacker takes advantage of one of them to wreak havoc. Mozilla.org hiding bugs? Impossible. How could they? Open source prevents it from happening.
Fact is that even Mozilla.org hides security bugs which may stay unresolved for months... Not long ago exactly such a case has been...
#5 oh, that example bug was SO DANGEROUS, right...
Sunday October 13th, 2002 7:20 AM
Are you referring to the privacy issue with the referrers' bug ? I really don't get why people get so excited at calling it a serious security flaw, when: 1.it happens only in some special situations 2.it doesn't give anything to exploit except an URL.
And I do believe that many people who publicly disclose security bugs should be held responsible when they also disclose ways to exploit them and no help in no way to fix them.
It's strange article, all over the article the author says that there is too much information released about security vulns, but in the conclusion he says that he wants full disclosure.
Also, his main argument is that the press is dumb, so we should hide the information from them. I don't like that idea. Why not react to press articles and explain what is smart and what is not, that way reporters will learn and hopefully make better articles.
Maybe I'm in a bad mood, but it seems that this article is really strange/bad.