Mozilla has moved swiftly to put the kibosh on late-night chatter that it can turn around patches for security flaws within ten days.
The "ten f-ing days" boast came directly from Mozilla Director of Ecosystem Development Mike Shaver during a Black Hat party conversation with hacker Robert "RSnake" Hansen.
We showed up, and nearly immediately I was surrounded by the bulk of the Mozilla QA and security team that was attending Blackhat. They asked me lots of questions, and gave me lots of info. It was a pretty equitable trade of information. Clearly, they acknowledge that they need help from the community but they also feel confident that once things come to their attention it’s simply a matter of days to close their holes. They said the recent rollouts were actually slower than they would have liked them to be, even though they were only a week and a half apart. Further, they said that they could roll out any critical patches within 10 days. Not one to let challenges go untested I called BS.
At this point Mike Shaver threw down the gauntlet. He gave me his business card with a hand written note on it, laying his claim on the line. The claim being - with responsible disclosure Mozilla can patch and deploy any critical severity holes within "Ten F***ing Days".
Hansen's description of the discussion and an image of the hand-written note on Shaver's business card has set the blogosphere alight, prompting an immediate mea-culpa and explanation from the security folks at Mozilla.
Shaver said his intent was simply to express confidence in Mozilla's ability to turn around a fix quickly if necessary by giving Hansen an "admit one" ticket for a disclosure that he thought needed an especially fast response due to extreme risk.
That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression.
I apologize, and hope that nobody will think less of Mozilla because of my error. We don’t issue challenges, and nobody here thinks that security response is a game. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own, and I hope the fracas about my overzealous comments to Robert don't overshadow the great work that people on the Mozilla project do to keep our users secure.
Mozilla security chief Window Snyder also offered an immediate explanation:
When I asked him [Shaver] about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only ten days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we're among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly.
This is the official word: This is not our policy. Mozilla does not claim to be able to turn around patches for security vulnerabilities in ten days in general or otherwise.