Stuart Ballard wrote
> But the first item is so broadly worded that it could cover anything,
> including providing this kind of warning. Could you narrow down that
> first item somewhat, and make it explicitly clear that giving public
> warning to users about the bug, provided specifics are not mentioned, is
> okay?
You've both missed this point:
--- begin quote ---
Mozilla distributors participating in security bug group activities can
mention in their release notes that a security bug has been fixed, but
we ask that they be vague and not describe the exploit in detail.
--- end quote ---
Ben, we fully expect Beonex and all other vendors to notify their users
about the existence of an exploit. Nothing in this proposal was meant to
disallow that. Maybe we can make that point clearer. However, I think
there's a distinct difference between *allowing* individual vendors to
inform their users, ship new versions, mention the bug in the release
notes, etc, if and when they deem necessary, and *requiring* that
Mozilla.org post even a vague description of each and every
vulnerability submitted. The latter will discourage many vendors from
participating at all, enough so that the security group will become
pointless.
My understanding from Mozilla.org (Mozilla staff, please correct me if
I'm wrong) is that Mozilla is not an end user product. All users of the
Mozilla browser are considered to be beta testers, and Mozilla makes no
guarantees about the safety of any build, including milestones. Vendors
such as Netscape, Red Hat, and Beonex turn these betas into end-user
products, and vendors bear responsibility for the safety of those products.
Mozilla milestones are much shorter than the product cycles of most
vendors. I would guess that most Mozilla-based products ship end-user
releases twice a year. It is reasonable to expect that no bug would be
held confidential for longer than 9 months, after which all major
vendors will have shipped a fix. In the meantime, any vendor that wants
to can already have informed its users (discreetly) and shipped a fix.
In fact, while I really don't expect or intend this to happen, even if a
bug remains in the security group forever, I would argue that everyone
who needs to know about the bug will still have access to it through
their representative on the security group.
I realize that this proposal isn't perfectly "open," but it's a
compromise that I believe vendors can accept. The alternative is for
vendors not to file vulnerabilities in Bugzilla or disclose them to
Mozilla.org at all. Everyone would be worse off in this case.
-Mitch
