Mozilla: 10-day patch guarantee 'not our policy'

The open-source browser maker was forced to issue a statement Monday, retracting a pledge attributed to the company's director of ecosystem development, Mike Schaver, to fix any critical security bugs in the browser within "Ten Days." Security researcher Robert Hansen said that Schaver had made the pledge at a late-night pajama party, hosted at last week's Black Hat conference in Las Vegas.

When Hansen said he doubted that this was possible, Shaver apparently backed up his pledge in writing: putting it on a business card with an arrow linking to his mobile phone number. "I told him I would post his card -- and he didn't flinch. No, he wasn't drunk. He's serious," Hansen wrote in a Friday blog posting. [Warning: URL and image contain expletive.] On Friday, Mozilla security chief Window Snyder offered a refinement to Shaver's late-night scrawl. "This is not our policy," she wrote in a blog posting. "We do not think security is a game, nor do we issue challenges or ultimatums."

View: The full story
News source: ComputerWorld

Report a problem with article
Previous Story

Intel Reportedly to Simplify Brand-Names

Next Story

Canada gets Xbox 360 price cut loving also

15 Comments

Commenting is disabled on this article.

Mozilla security chief Window Snyder

Am I the only one who finds it funny that the security chief for Mozilla is named Window?

Maybe Opera should start having drunk pajama parties so they get as much attention as Firefox does.

It has probably a lot more to do with acceptability to view from work (during a free lunch period, for example), or at home around the kids.

From the blog (if you follow the links)

They said the recent rollouts were actually slower than they would have liked them to be, even though they were only a week and a half apart. Further, they said that they could roll out any critical patches within 10 days. Not one to let challenges go untested I called BS.

At this point Mike Shaver threw down the gauntlet. He gave me his business card with a hand written note on it, laying his claim on the line. The claim being - with responsible disclosure Mozilla can patch and deploy any critical severity holes within “Ten F------ Days”

It sounds like the "Not one to let challenges go untested I called BS" statement from the source blogger may have been a watered down summary of a chest-thumping match between someone responsible for security at Mozilla and someone who challenged/prodded him.

A very human reaction to what was likely a testosterone-driven discussion.

10 days or less is a great goal, but I can see the lawyer-types crawling all over this to make sure it is announced that this is not a "policy".