Mozilla has denied reports that it has pledged to fix any critical Firefox vulnerability in just 10 days.
As the story goes, Mike Shaver, director of ecosystem development at Mozilla, was discussing the speed at which Mozilla patches vulnerabilities with Rsnake, a vulnerability researcher, during a late-night Mozilla party at the Black Hat show last week.
Shaver handed Rsnake a business card, upon which he had written Ten F**king Days, albeit in its uncensored form.
The recipient interpreted it, in a blog post, this way: They said that they could roll out any critical patches within 10 days… The claim being — with responsible disclosure Mozilla can patch and deploy any critical severity holes within ‘Ten F**king Days’.
He scanned the business card and posted it to his web site as evidence.
IDG News Service then picked up the story and ran with it in a couple of publications, while noting that Mozilla had declined immediate official comment. Such comment did not take long to arrive.
This is the official Mozilla word: This is not our policy, Mozilla’s head of security Window Snyder eventually said, in a blog posting yesterday. We do not think security is a game, nor do we issue challenges or ultimatums.
At no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities, Shaver himself added. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own.
The original claim was somewhat credible, given that Mozilla has in fact been known to patch vulnerabilities in 10 days or less. The most example was a protocol handler bug reported on July 21 and patched on July 31.