Mike Shaver, ten days, and expletives

Aug 6 2007

Mike Shaver (Director of Ecosystem Development at Mozilla) handed his business card to Robert Hansen (RSnake) on Wednesday night at Black Hat. On it he wrote “ten f—ing days.” When I asked him about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only ten days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we’re among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly.

Well, whatever he meant, his statement has taken on a life of its own. Robert posted on his blog, and a bunch of news articles picked it up as a challenge.

This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure.

14 responses

Pingback from » Patches in ten f***ing days? Not really, says Mozilla | Ryan Naraine’s Zero Day | ZDNet.com on August 6, 2007 at 11:37 am::

[...] security chief Window Snyder also offered an immediate explanation: When I asked him [Shaver] about it, he said he meant to communicate to Robert that since Mozilla [...]
Pingback from about ten days at black hat · Get Latest Mozilla Firefox Browsers on August 6, 2007 at 12:04 pm::

[...] Window has posted on this topic as well, over at the Mozilla security blog.] addthis_url = ‘http%3A%2F%2Fgetfirefoxbrowsers.com%2F2007%2F08%2Fabout-ten-days-at-black-hat’; [...]
Pingback from Mozilla says no guarantees of 10-day patch turnarounds — Security Bytes on August 6, 2007 at 12:55 pm::

[...] supposed claim that it could fix any responsibly disclosed flaw in 10 days. Mozilla security chief Window Snyder says that is not the group’s stance, and never has been. “This is not our policy. We do not think security is a game, nor do we [...]
Pingback from hackademix.net » Ten, they can! (if they want) on August 6, 2007 at 1:11 pm::

[...] official, Window Snyder didn’t like the 10FD story. Mozilla’s new policies and restrictions over Mike Shaver’s business cards have not [...]
Pingback from Mozilla: 10-day patch guarantee ‘not our policy’ on August 6, 2007 at 1:53 pm::

[...] is not our policy,” she wrote in a blog posting. “We do not think security is a game, nor do we issue challenges or [...]
Pingback from Techzi » Blog Archive » Mozilla: 10-day patch guarantee ‘not our policy’ on August 6, 2007 at 2:14 pm::

[...] is not our policy,” she wrote in a blog posting. “We do not think security is a game, nor do we issue challenges or [...]
Pingback from Firefox Clarifies ‘Ten Day Policy’ at Catherine’s Flying Hamster Blog on August 7, 2007 at 2:02 pm::

[...] link: Window Snyder’s Blog [...]
Pingback from Mozilla: 10-Day Patch Guarantee ‘Not our Policy’ « TechTitans™ on August 7, 2007 at 2:09 pm::

[...] is not our policy,” she wrote in a blog posting. “We do not think security is a game, nor do we issue challenges or [...]
Greg K Nicholson wrote on August 7, 2007 at 3:47 pm::

It’s a testament to Mozilla’s track record that so many people think it’s plausible that Mozilla could fix any security bug in ten days.
Pingback from about ten days at black hat · Get Latest Mozilla Firefox Browsers on August 8, 2007 at 6:26 pm::

[...] Window has posted on this topic as well, over at the Mozilla security blog.] addthis_url = ‘http%3A%2F%2Fgetfirefoxbrowsers.com%2F2007%2F08%2Fabout-ten-days-at-black-hat-2′; [...]
Pingback from Inside Firefox » Blog Archive » 10 days to a security fix on August 8, 2007 at 9:21 pm::

[...] is how shaver probably got to 10 days and I may be wrong on a lot of this, I’ve been out of the release loop. I’m posting [...]
Pingback from Mozilla nie będzie łatać dziur w 10 dni « Blog nyax’a, czyli mój ;) on August 10, 2007 at 3:49 am::

[...] następstwie tego wydarzenia Window Snyder oświadczyła na blogu, że wydawanie poprawek w ciągu 10 dni nie jest polityką Mozilli. Podkreśliła, że [...]
Pingback from TerminalDigit - Mozilla Officially Retracts “Ten Fucking Days” on August 15, 2007 at 1:10 pm::

[...] read more | digg story [...]
shaon wrote on August 22, 2007 at 12:31 am::

Mozilla is the best browser!!! Lets time to leave IE

Pingback from » Patches in ten f***ing days? Not really, says Mozilla | Ryan Naraine’s Zero Day | ZDNet.com on August 6, 2007 at 11:37 am::

Pingback from about ten days at black hat · Get Latest Mozilla Firefox Browsers on August 6, 2007 at 12:04 pm::

Pingback from Mozilla says no guarantees of 10-day patch turnarounds — Security Bytes on August 6, 2007 at 12:55 pm::

Pingback from hackademix.net » Ten, they can! (if they want) on August 6, 2007 at 1:11 pm::

Pingback from Mozilla: 10-day patch guarantee ‘not our policy’ on August 6, 2007 at 1:53 pm::

Pingback from Techzi » Blog Archive » Mozilla: 10-day patch guarantee ‘not our policy’ on August 6, 2007 at 2:14 pm::

Pingback from Firefox Clarifies ‘Ten Day Policy’ at Catherine’s Flying Hamster Blog on August 7, 2007 at 2:02 pm::

Pingback from Mozilla: 10-Day Patch Guarantee ‘Not our Policy’ « TechTitans™ on August 7, 2007 at 2:09 pm::

Greg K Nicholson wrote on August 7, 2007 at 3:47 pm::

Pingback from about ten days at black hat · Get Latest Mozilla Firefox Browsers on August 8, 2007 at 6:26 pm::

Pingback from Inside Firefox » Blog Archive » 10 days to a security fix on August 8, 2007 at 9:21 pm::

Pingback from Mozilla nie będzie łatać dziur w 10 dni « Blog nyax’a, czyli mój ;) on August 10, 2007 at 3:49 am::

Pingback from TerminalDigit - Mozilla Officially Retracts “Ten Fucking Days” on August 15, 2007 at 1:10 pm::

shaon wrote on August 22, 2007 at 12:31 am::