The diary and photos of Chris Beach. I'm into windsurfing, coding, badminton, drawing and composing music using computers and synths.

Let's start with a quote:
"I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours" Stephen Roberts

email: password:

mozilla's security policy

Conspiracy theorists have claimed that Microsoft is secretive about bugs in Internet Explorer. Well, you may be interested to know about Mozilla's security policy on bug reporting:

"Security bug reports can be treated as special and handled differently than "normal" bugs. In particular, the Bugzilla system will allow bug reports related to security vulnerabilities to be marked as "Security-Sensitive," and will have special access control features specifically for use with such bug reports."

"Full information about security bugs will be restricted to a known group of people, using the Bugzilla access control restrictions"

"As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be."Handling Mozilla Security Bugs

This was criticised by the Computer Emergency Response Team of the University of Stuttgart (RUS-CERT) who finds fault in the fact that no official security advisories are published by the Mozilla Foundation. Instead security leaks are silently patched and incorporated into newer releases. This leaves independent security agencies completely in the dark about the true fragility of Mozilla's browsers.

This security policy could seriously backfire. Consider that other open-source organizations have used early revisions of Mozilla code in their own products, some of which have been used by large populations of end users, many of whom may not often upgrade or check for recent security fixes.

Although Mozilla's policy may lessen exploitation of their latest browser, it risks damaging PR in the long term. To deliberately keep security reports confidential is tempting fate.

But how could Mozilla enforce their policy? I mean, how do you make people report bugs back to you and noone else?

Then I found out about the bounty programme.. cash rewards for secrecy. Mozilla have learnt a lot from communism haven't they!

written by Chris Beach
16/09/04 12:56am
(13 years, 7 months ago)
comment one comment

photoadd photo

 7 links more journal entries from tech journal