I've been quiet on this issue lately, but please don't think I haven't
been paying attention. I would really like to see this "security group"
get off the ground; I think it's the right way to go. I will speak to
someone in Mozilla about making the necessary changes to Bugzilla; the
actual rules should be worked out here in the newsgroup, hopefully by
consensus.
Please understand that the only reason I'm still using the
NS-Confidential flag in Bugzilla is that I don't have a good
alternative. The Mozilla security group would be that alternative. We do
have an internal bug database at Netscape, but there's no easy way (that
I know of) to move bugs from the internal database to Bugzilla. This
slows down the process of disclosing these bugs after they are fixed.
I'd much rather be able to simply flip a switch on these bugs at the
appropriate time, which is why I'm still using Bugzilla.
I support disclosure of security bugs to a trusted group of Mozilla
participants. Believe me when I say this is a priority, and that the
security folks at Netscape will participate in this as much as we
possibly can. Remember though, that there are now over two million users
of Netscape 6 who will be harmed by premature disclosure of security
bugs. Our participation in the security group means trusting the safety
of our users to everyone in the group. This is a difficult position for
a company like Netscape. Please just keep that in mind.
-Mitch
--------------------
Opinions are mine, not Netscape's
