Firefox Devs have been criticised in the past for making all their security issues public. This may not back up the accuracy of secunia’s research, but it makes your argument, that other vendors are encouraged to be secretive, a moot point, since they may very well intend to be secretive for the sake of user security.

[Lucas]: Mozilla only makes security issues public once they have been fixed and the update has had time to propagate. Keeping details of fixed issues private doesn’t help user security; the bad guys already know how to reverse-engineer those fixes. That is why security researchers responsibly disclose their findings once a fix is public, so other developers can learn from those mistakes.

Yikes and yikes again!
Judging by the headlines around the Internet, it’s almost as if people have been anxiously waiting for some dirt on Mozilla. I imagine that they have a collection of negative Mozilla related posts pre-written just ready to go. Since when did Mozilla become the bad guys anyway?

Is this an attempt to bury the news of yet another great month for Firefox whereas Firefox’s market share is reported to be at 24% and 63% (a new low) for Internet Explorer?

And of all things to report on incorrectly, Mozilla’s security.
What a low blow.

When promoting Firefox, Thunderbird, and Mozilla itself, I tell people that not only do I implicitly entrust my passwords, personal and other data to Mozilla and its products, so do their employees, the developers, and a few hundred other million people worldwide so take comfort in that.

Is it that Secunia is not unbiased and neutral? Are they monetarily and politically motivated by a dude who happens to be one of the richest men on the planet? Or is that they just don’t care about the quality of what they produce and what their name goes on?

I just don’t get it and it all pi**es me off because rebutting this and trying to stave off any further damages will not be easy when the momentum is already on the side of the idiots.

Of course Secunia is biased and not neutral. When they published the report, they knew that the numbers don’t give an accurate picture. They could have easily explained this, but they choose not to. Yes, you can blame them.

Lucas,

I see your point, but the reality of reporting security incidents and vulnerabilities went in the the wrong direction a few years ago.

By fully disclosing your security vulnerabilities in today’s environment, you expose yourselves to this inequity in the industry.

The good, for those of us that know your policies we understand the obvious discrepancies in the Secunia report.

Perhaps you should write them (stillwater perhaps) and ask them to add an Astrix to your data. Add something to the affect that public disclosure by Mozilla is based on Full Disclosure while other browser vulns rely only on publicly available disclosures.

Maybe you should also add a flag to your vuln reports to level the playing field?

Good luck,
Phil Agcaoili

@Ken Saunders
Jeff Jones says on page 2 of his article, “Secunia report specifically limited scope to vulnerabilities disclosed during 2008.”

He lists six high/critical severity vulnerabilities in Firefox 2 that were publicly disclosed before 2008 but never fixed. 352 days of risk in 2008 before Firefox 2 went end of life, for each of those vulnerabilities.

I’m not sure you read that far in Jeff’s article, but it’s a interesting statistic against Brian Krebs’ note that you quoted:

“How long did it take each browser maker to address security flaws once those vendors knew about them?”

Also, I like the fact Jeff quotes a variety of sources including this one. Strangely, Mozilla does not provide a link back to Jeff, which would faciliate a more open discussion IMHO.

By the way, I find it easier to follow Jeff’s blog, he tends to go in more detail there and there’s less advertising noise.

http://blogs.technet.com/security/archive/2009/03/09/supplemental-data-for-calculating-mozilla-patching-speed.aspx

@Ken Saunders: Now I’m offended!
(I’m a geeky Mozilla fan Laughing Out Low, does that count? Hehehe…)

So, Opera has more security than Mozilla ?

IF so, why not publishing how many issues were found by your team and how many were found externally? Until you publish it, I simply don’t believe you. Me – switching back to IE8. Good and safe.

Other software vendors do not report all the bugs they have with their software unlike Firefox. I believe is unfair to compare Firefox with dishonest Micrsoft, Apple, and Opera.

While I am no expert on coding anything. I do however repair/remove a ton of virus and other crap my customers get. My repeat customers are the ones who don’t listen to me about Firefox. They refuse to understand that you can’t just wait till your software vendor release’s their normal updates to fix security holes. Firefox, while not perfect has helped me to gain repeat customers, not by being a bad product but by doing so well, that when something else goes wrong i.e. hard drive fails, those customers return since they were happy with my advice.(Granted it’s not just me recommend Firefox, I recommend other open source programs, it also has to do with the quick service times, and speaking to them in language that they can understand)

I tell all my customers not only do you need to use a good browser but you also have to use some common sense on the web. Sorry even those who stick with IE if they use their brains would have far fewer problems.

I never expect Firefox or any other product to be perfect, however I am pleased with the response times that Firefox has, not to mention that it’s open source, which allows me to use a ton of add ons

Any type of report is bound to be wrong one way or another. Just look at the way company’s are doing their polling. The post the numbers but often leave out how the question was worded.

If I asked a 100 people if they liked scrambled eggs served COLD, and then reported that 99% of the people I polled do not like eggs, Would that be a lie?

@stillwaiter

Nobody said that secunia only hates firefox, but secunia sure doesn’t try to even pretend to be impartial in their latest “report”.

I’m very curious how you feel justified stating that a group that releases a “report” isn’t responsible for its accuracy. Are you saying that it’s ok to do sloppy work as long as it’s easy? I just did a study and found that 97% of the people that use the handle “stillwaiter” have below average intelligence – it’s a good thing I’m not responsible for the accuracy of those results, right? It’s just my job to report them!

I might almost agree with you that it’s not secunia’s job to educate people about the meaning of the numbers, but any self-respecting data collector should at least have the integrity to highlight numbers that were collected in different ways when “comparing” them. As has been pointed out in the comments above, even just having an asterisk next to the number and a quick explanation in the chart would have at least been a step in the right direction. Explaining large variations in your data is not showing bias, it’s explaining large variations in your data. Since this data was collected in a different manner, it’s entirely biased not to disclose this. It’s a good thing real scientists can’t be this sloppy! Maybe next year Secunia should double its budget to TWO dollars to generate a useful report.

Regarding the definition of “neutrality”, perhaps this might help since you can’t seem to find it on wikipedia:
http://dictionary.reference.com/browse/neutral
The first definition is “not taking part or giving assistance in a dispute or war between others”. Secunia releasing a report based on information it knows to be incorrect with misleading graphs fits well here. This does not fall into the category of “neutral” since it IS giving assistance to all non-firefox browsers in its report. Perhaps your English could use a bit of polishing too.

Ari T is right. You can tell your employer they are wrong.