Mozilla Security: More Than Meets the 'Aye' Mozilla Responds to Security Process Accusations Sean Michael Kerner
If open source by definition means that code is open, then why is Mozilla having some of its code discussions behind closed doors?
The reason is simple: to protect users.
Last week security researcher Robert Chapin alleged that Mozilla's security process wasn't open. According to Chapin, certain key discussions surrounding the resolution of security issues with Mozilla Password Manager that he first reported last November were less than entirely open.
Window Snyder, head of security strategy at Mozilla Corp., told internetnews.com that the allegation that Mozilla is not open is not the case. Snyder argued that Mozilla is as open as it can be and even somewhat democratic.
In addition to the publicly available Bugzilla bug database, Mozilla also has a separate security group with membership made up from both Mozilla and the wider community. Currently the group has 86 individual members, with Google, Red Hat, IBM, Sun, Ubuntu and Cenzic among the different groups represented.
"When security issues come in they might be discussed as a bug, but they might also be discussed in the security group," Snyder said. "One of the reasons why we do that is to make sure we get sufficient community feedback on all the different ways we can address a problem and to help us prioritize."
Snyder explained that the password manager bug originally reported by Chapin was discussed publicly in Bugzilla because there was a public disclosure of the vulnerability. Some of the discussion happened on the security group mailing list where some new additional related risks were discussed in a way that wouldn't expose users to additional risk.
"There is a compromise between doing things completely openly and exposing users to additional risk versus doing it with a subset of the population that has been self selected," Snyder said.
The Mozilla Security group is self organizing, Snyder noted. Anyone wanting to join needs to get someone to nominate them and a couple of people to second and third the nomination. Mozilla does that to ensure it has a group that can keep the details of security vulnerabilities within the group until fixes are available.
Chapin has alleged that the Mozilla password manager is not yet fixed. Snyder stated that the bug that Chapin actually first reported is fixed, as Mozilla has already stated in the Firefox 2.0.0.2 release.
That's not to say the Mozilla password manager is bug free.
"There are other bugs that are related that we are prioritizing, and there is at least one that is being fixed in Firefox 2.0.0.3 and other bugs we may fix in the future," Snyder admitted. "Password manager is one of the components that is being considered for a rewrite so a number of issues may be resolved then."
Then there is the issue about the criticality of the password manager bug itself.
The initial bug filed by Chapin was listed in the Bugzilla database as being critical. When Mozilla issued a security advisory on the issue along with the 2.0.0.2 update, it labeled the flaw as being "low impact."
Snyder explained that it's not necessarily a straight line from Bugzilla to security advisory.
"A lot of factors may make a bug critical in Bugzilla, as it includes severity for any bug and not just security," Snyder said. "A security advisory is just about security."
Speaking about security, it's not just the contribution of external researchers that leads to Mozilla security advisories. Mozilla also has an active internal group doing penetration testing against Mozilla products. Snyder noted that they run the whole spectrum of security testing tools and approaches.
"We want to make sure that we're constantly looking for security vulnerabilities because new code is constantly being introduced and threats change," Snyder said.
Mozilla's security effort may also one day lead to a Mozilla open source effort on security tools and information.
"We are looking at ways at making the information we develop as part of our security testing openly available so people can use it to secure large software projects," Snyder said.
The issue of when Mozilla might make such tools and information available is part of the overall balance that Mozilla is striving to seek between functionality, security and disclosure.
"One of the different things about Mozilla is that it's cooperative here and community based," Snyder explained. "What needs to happen is that for each issue that comes up we're considering security in addition to what value this item brings to the user."
