This is sometimes good and sometimes bad, some bugs do seem so minor and would require so much work that developers wouldn’t be wise to spend time there. That said I do often see Mozilla fix a lot of security bugs with no Proof of Concept code, especially if it’s memory related, and Microsoft just say “This is not a security bug”.

I work for a financial institution where we use the following metric for app security: We simply add the days all known bugs stay unpatched. This gives us a figure that say how we are, if we are getting better or worse and if we are doing better or worse than other financial institutions.

I think the same principle could be used to compare Mozilla and other web browsers, you would get a metric that wouldn’t say what browser is safest, but what browser has the best security stance TODAY.

“The growth in browser market-share for browsers such as Mozilla Firefox is a driving factor in the increased attention by security researchers. However, this does not necessarily result in more attack activity in the wild. Although internet explorer was subject to fewer vulnerabilities that are inherent to the browser in comparison to Mozilla, exploit activity in the wild indicates that it is still the gateway for third-party vulnerabilities affecting ActiveX and other browser plug-in technologies.”