Several years ago I sat down with Frank Hecker and Mitch Stoltz to hash out a policy for handling security sensitive bugs for Mozilla projects. I think we were fairly successful at balancing the various interests and in building a policy that allowed us to all get back to work.
Today, Frank has posted some of his thoughts as he re-evaluates the formulation of those policies. Go give his post, Full disclosure: for and against, a read.
I especially enjoyed Frank's conclusion which sums up my approach to most things Mozilla. You cannot resolve every controversy, "in the real world the best we can hope for is to manage controversies well enough to get some work done."
Posted by asa at February 13, 2005 07:15 PMThe disclosure policy itself is reasonable, but there are big holes in practice:
1. For bugs that are disclosed by the reporter, there's too much time between disclosure and a fixed release.
2. For bugs that are not disclosed by the reporter, fixes are checked into public CVS well before the release.
3. Some bugs are kept security-sensitive for months to years, which the policy warns against.
4. The Bugzilla software has holes that can lead to the disclosure of security-sensitive bugs. One such bug (38862) is itself marked as security-sensitive and has been that way for years even though multiple people have filed duplicates.
These holes in our practice leave our users vulnerable. They also discourage security researchers from cooperating with us (by not disclosing bugs by themselves), which makes our users even more vulnerable.
Posted by: Jesse Ruderman on February 14, 2005 03:57 AMFully agree with Jesse. The public CVS check-in was the main reason why i made my three security bugs public last week. Plus i don't believe there will be a Firefox 1.0.1 before march (meaning at least a month between the patches and their release).
Posted by: Michael Krax on February 14, 2005 07:40 AM