Opera accuses Mozilla of irresponsible disclosure

Opera accuses Mozilla of irresponsible disclosure

Summary: In a blog posted yesterday on Opera's website, blogger Claudio Santambrogio tells us that he isn't happy about the way Mozilla handled an Opera security disclosure.  Here's what Claudio had to say:Mozilla notified us of one security issue ( ) the day before they published their public advisory ( ).

SHARE:
TOPICS: Browser, Security
4

In a blog posted yesterday on Opera's website, blogger Claudio Santambrogio tells us that he isn't happy about the way Mozilla handled an Opera security disclosure.  Here's what Claudio had to say:

Mozilla notified us of one security issue ( ) the day before they published their public advisory ( ). They did not wait for us to come back with an ETA for a fix: they kept their bug reports containing the details of the exploits closed to the public for a few days, and now opened most of them to everybody ( awww ).

Opera is as always committed to not only protecting its users, but to making the Web a safe place. We believe in responsible disclosure of vulnerabilities affecting several vendors.

Now I followed that published link and it says nothing about an Opera vulnerability unless it's something that affects both Opera and Mozilla software.  It's still too early to tell since details about the vulnerability are sparse.  Developing ...

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Opera is to concervative in some regards

    Often they will update several vulnerabilities, attach a few new features and announce the features, not mentioning the fixes. This could easily mislead the user if they should decide that upgrading is too much hassle to consider upgrading.
    nucrash
    • Fixes are announced

      Security fixes are actually announced. Just check out the changelogs for the last few updates:

      http://www.opera.com/docs/changelogs/windows/921/
      http://www.opera.com/docs/changelogs/windows/922/
      http://www.opera.com/docs/changelogs/windows/923/
      http://www.opera.com/docs/changelogs/windows/924/
      http://www.opera.com/docs/changelogs/windows/925/

      Look under the headline "Security".
      me001
  • RE: Opera accuses Mozilla of irresponsible disclosure

    This vulnerability has been around for quite some time now, I believe. As you can see, I believe it was originally reported by Zalewski. If Mozilla reported it without warning, I'd say they were in the wrong, but then again, this vulnerability appears to have been a known one for Mozilla for quite sometime. Perhaps, after fixing it themselves, Mozilla discovered that Opera was also vulnerable and notified them. I don't feel that they should've had to wait to put out their own patch.

    Like the main article mentions, there's not enough details yet.
    nmcfeters
    • The point being: Mozilla published the flaw

      Mozilla could have put off publishing the flaw until Opera's fix was out. No reason to wait with their own patch. Just wait with the full disclosure.
      me001