And how exactly do you propose to "leave out the details and PoC" when the presence of the bug and the steps taken to fix it can not be concelaed from public view given that the source code and the entire CVS entries are freely available for anyone to browse?
Mozilla users are getting the consideration they deserve. They deserve to know what code they are running whenver the feel like doing so and to know what the mozilla team is doing with the code. That's probably one of the reasons why they run Firefox in the first place (but not necesarily the only or more important one).
The proposal for obscurity serves well closed-source innitiatives and development processes that have limited or no public visibility but it fails in the presence of OSS. The "responsible disclosure" advocates act as if Linux,*BSD,Mozilla and a zillion other open source projects did not exist in reality.
Perhaps what was needed was to report the IE and SP2 vulnerabilities in a similar fashion and not the opposite, but alas the reported probably did not want the MSRC meat-grinding PR machinery going after him.
----
Two interesting points:
1) It took several minutes and more browsing elsewhere (in Bugzilla) before
my browser blew up after testing the POC.
2) When you reported a "Windows XP SP2 IE 6.0 Vulnerability"
(http://security-protocols.com/modules.php?name=News&file=article&sid=2891)
and a "Windows XP SP2 Remote Kernel DoS"
(http://security-protocols.com/modules.php?name=News&file=article&sid=2783)
you left the details of the bug and the POC out. Personally, I generally
approve of that, but why don't Mozilla users deserve as much consideration?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
