Mike Shaver, ten days, and expletives

08.06.07 - 10:50am

Mike Shaver (Director of Ecosystem Development at Mozilla) handed his business card to Robert Hansen (RSnake) on Wednesday night at Black Hat. On it he wrote “ten f—ing days.” When I asked him about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only ten days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we’re among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly.

Well, whatever he meant, his statement has taken on a life of its own. Robert posted on his blog, and a bunch of news articles picked it up as a challenge.

This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure.

Category: Announcements, Conferences, Security |

JavaScript fuzzer available Feedback from Opera on Mozilla JavaScript fuzzer

The Buzz {12 trackbacks/pingbacks}

  1. Pingback: » Patches in ten f***ing days? Not really, says Mozilla | Ryan Naraine’s Zero Day | ZDNet.com on August 6, 2007
  2. Pingback: about ten days at black hat · Get Latest Mozilla Firefox Browsers on August 6, 2007
  3. Pingback: Mozilla says no guarantees of 10-day patch turnarounds — Security Bytes on August 6, 2007
  4. Pingback: hackademix.net » Ten, they can! (if they want) on August 6, 2007
  5. Pingback: Mozilla: 10-day patch guarantee ‘not our policy’ on August 6, 2007
  6. Pingback: Techzi » Blog Archive » Mozilla: 10-day patch guarantee ‘not our policy’ on August 6, 2007
  7. Pingback: Firefox Clarifies ‘Ten Day Policy’ at Catherine’s Flying Hamster Blog on August 7, 2007
  8. Pingback: Mozilla: 10-Day Patch Guarantee ‘Not our Policy’ « TechTitans™ on August 7, 2007
  9. Pingback: about ten days at black hat · Get Latest Mozilla Firefox Browsers on August 8, 2007
  10. Pingback: Inside Firefox » Blog Archive » 10 days to a security fix on August 8, 2007
  11. Pingback: Mozilla nie będzie łatać dziur w 10 dni « Blog nyax’a, czyli mój ;) on August 10, 2007
  12. Pingback: TerminalDigit - Mozilla Officially Retracts “Ten Fucking Days” on August 15, 2007

The Conversation {2 comments}

  1. Greg K Nicholson {Tuesday August 7, 2007 @ 3:47 pm}

    It’s a testament to Mozilla’s track record that so many people think it’s plausible that Mozilla could fix any security bug in ten days.

  2. shaon {Wednesday August 22, 2007 @ 12:31 am}

    Mozilla is the best browser!!! Lets time to leave IE

Speak Your Peace

  • Comment Policy:Could go here if there's a nagging need Login Instructions: Would go here if there's a desire.