14 DAY TRIAL // Mozilla's Firefox is generally perceived by end users as a browser delivering superior security in comparison to Internet Explorer. In fact, security has been the backbone of Firefox's adoption, and a constantly ascendant uptake rate, eroding IE's domination on the browser market. However, at Black Hat 2007 in Las Vegas, Mozilla's Director of Ecosystem Development, Mike Shaver took it one step further and apparently made the promise that the corporation will take only 10 days to patch any critical security vulnerability in the open source browser.
"Mike Shaver threw down the gauntlet. He gave me his business card with a hand written note on it, laying his claim on the line. The claim being - with responsible disclosure Mozilla can patch and deploy any critical severity holes within 'Ten F**king Days'," revealed Robert Hansen.
Window Snyder, Chief Security Officer at Mozilla, explained Shaver's gesture. "Mike Shaver handed his business card to Robert Hansen (RSnake) on Wednesday night at Black Hat. On it he wrote "ten f-ing days." When I asked him about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only ten days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we're among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly. Well, whatever he meant, his statement has taken on a life of its own," Snyder explained.
This however, is not a new Mozilla security strategy designed to bring Internet Explorer on its knees. Currently, Microsoft releases patches on a monthly basis. The Redmond company diverges only seldom from its monthly patch cycle. The exceptions are connected with critical vulnerabilities that pose great risk to users. Otherwise, security updates are released for IE, and the additional Microsoft products on the second Tuesday of each month. If Mozilla took the patching process down to just 10 days, it would narrow down the attack window on the browser, and further increase the perception of security. But this is not the case.
"This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure," Snyder added.