Jon Lasser on the Mozilla Security Bugs Policy
Thursday October 10th, 2002
Ismail Donmez writes: "Jon Lasser on SecurityFocus has an interesting article about mozilla.org's security policy." The column discusses the accusations that mozilla.org is covering up security holes and questions whether every bug actually needs wide publicity. As always, mozilla.org's security bugs policy is available online.
Thursday October 10th, 2002 10:37 AM
You are replying to this message
The way I see it, if the bug is only known to the people inside Mozilla who are working on it (and maybe the outside people that reported it), then the specifics of exploiting the bug should be kept under wraps for a time. This way people can work on fixing the bug and get a patch in before it even becomes a really problem.
However, if the security bug 1) goes unfixed for over a month, or 2) becomes common knowledge (such as being posted in detail on another website or newsgroup), it should be disclosed fully to expedite the bug getting fixed by appealing to the public for suggestions/code/etc.