RUS-CERT Criticizes Mozilla Security Bugs Policy
Thursday March 11th, 2004
Simon Paquet sent us a link to a German article from the Computer Emergency Response Team of the University of Stuttgart (RUS-CERT) that criticizes Mozilla's security policy.
Simon provides a translation of the key points of the article: "The RUS-CERT criticizes Mozilla's security approach to security leaks. They find fault in the fact that no official security advisories are published by the Mozilla Foundation. Instead security leaks are silently patched and incorporated into newer releases.
"They come to the conclusion, 'At the moment Mozilla is obviously no convincing alternative to the market leader [Microsoft].' In an update to their article, they state that this sentence was interpreted as saying that everyone should refrain from using Mozilla. This is not the case. They only state that Mozilla suffers from the same security problems as all other clients and that the use of Mozilla alone is no solution to those security problems."
"The last major update to the Known Vulnerabilities in Mozilla page was in November."
And it's therefore out of date. I'm pretty sure there were security issues in 1.5 that have been fixed in 1.6. According to the policy, those should now be on that page.
"The Mozilla Security Bugs Policy explains how security flaws are handled."
It begins by saying that the first step to improving their handling is to appoint a security module owner, and goes on to say that it's Mitch Stoltz of Netscape, who isn't (AFAIK) around any more, as of when Netscape laid everyone off.