about ten days at black hat

I’ll write more about this later, but since people are starting to pick this up, I want to get this out quickly.

When I wrote “ten fucking days” on a card for Robert (rsnake), I was intending to express my confidence in our ability to turn around a fix quickly if we needed to, by giving him a sort of “admit one” ticket for a disclosure that he thought needed an especially fast response due to extreme risk or some such. That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression.

I apologize, and hope that nobody will think less of Mozilla because of my error. We don’t issue challenges, and nobody here thinks that security response is a game. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own, and I hope the fracas about my overzealous comments to Robert don’t overshadow the great work that people on the Mozilla project do to keep our users secure.

[Update: Window has posted on this topic as well, over at the Mozilla security blog.]

11 comments to “about ten days at black hat”

  1. entered 6 August 2007 @ 1:37 pm

    [...] Shaver said his intent was simply to express confidence in Mozilla’s ability to turn around a fix quickly if necessary by giving Hansen an “admit one” ticket for a disclosure that he thought needed an especially fast response due to extreme risk. That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression. [...]

  2. entered 6 August 2007 @ 2:55 pm

    [...] Shaver also has posted a blog entry about the ten-day claim, saying he overreacted to the situation. “That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression. I apologize, and hope that nobody will think less of Mozilla because of my error. We don’t issue challenges, and nobody here thinks that security response is a game. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own, and I hope the fracas about my overzealous comments to Robert don’t overshadow the great work that people on the Mozilla project do to keep our users secure.” [...]

  3. entered 6 August 2007 @ 3:33 pm

    [...] Mike Shaver, an executive at Mozilla, maker of the popular Firefox browser, promises a ten-day turnaround on bugs, and then backpedals furiously. [ha.ckers.org] [...]

  4. entered 6 August 2007 @ 3:36 pm

    [...] Mike Shaver, an executive at Mozilla, maker of the popular Firefox browser, promises a ten-day turnaround on bugs, and then backpedals furiously. [ha.ckers.org] [...]

  5. entered 6 August 2007 @ 3:45 pm

    [...] Mike Shaver, an executive at Mozilla, maker of the popular Firefox browser, promises a ten-day turnaround on bugs, and then backpedals furiously. [ha.ckers.org] [...]

  6. entered 6 August 2007 @ 4:09 pm

    [...] It’s official, Window Snyder didn’t like the 10FD story. Mozilla’s new policies and restrictions over Mike Shaver’s business cards have not been disclosed yet. [...]

  7. Anonymous Coward
    entered 6 August 2007 @ 9:37 pm

    Don’t worry about it. People are oh so politically correct and sensitive these days. Come on, people, Mike was only playing!

  8. Peter
    entered 6 August 2007 @ 10:45 pm

    Don’t let the media trolls get to you. It’s quite common knowledge that their “news” comes from only two sources, company media kits, and toeing to the line of advertisers. Who is the biggest advertiser in computer journals? And by any chance do they have a web browser with a poor security track record?

  9. entered 7 August 2007 @ 7:18 am

    [...] Shaver clarified the point on his blog to quell the rumors: [...]

  10. entered 7 August 2007 @ 9:28 am

    [...] And this is Mike’s version: “I was intending to express my confidence in our ability to turn around a fix quickly if we needed to, by giving him a sort of “admit one” ticket for a disclosure that he thought needed an especially fast response due to extreme risk or some such. That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities.” [...]

  11. entered 7 August 2007 @ 1:51 pm

    [...] Mike Shaver signifie par là que Mozilla est « capable de sortir un patch rapidement pour toute faille critique si c’est jugé nécessaire », mais il n’a aucunement voulu dire que Mozilla suit une politique selon laquelle tout correctif doit sortir dans les 10 jours suivant la découverte de la faille. [...]