It was pointed out to me that this statement was misleading. This is merely counting the hidden, unresolved bugs in Bugzilla classified as "security bugs", this does not mean that all of these are critical or even valid, as I implied later by saying that there were basically no critical bugs in September and later "(I think that's feasible now, given that we should be at or close to zero critical bugs)". Many of these current, hidden bugs are just questions from review, "are we having a problem there?".* The known, hidden security bugs are usually *not* being fixed timely (contrary to assertions by Mitch during the policy discussion IIRC). Some critical ones rotted for years until they were driven out. There are currently 59 hidden, unfixed bugs. The by far oldest one, a spoofing bug, is from 1999; none from 2000/2001; about 40% are from 2002; 90% are from 2003 or earlier.
(However, if they are not critical, I don't think they should be hidden, which was one of my points.)
_______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
