Mozilla Security Blog » Conferences

Economics of vulnerabilites roundtable

Lucas Adamski — Fri, 10 Jun 2011 21:59:47 +0000

Mozilla recently had the opportunity to participate in a panel discussion regarding the economics of vulnerabilities and bug bounties at the Hack in the Box conference in Amsterdam. Out of that came some interesting insights about how various markets are monetizing vulnerabilities, and the resulting implications for vendors, users and pretty much everyone else. You can read the full post here.

Mike Shaver, ten days, and expletives

Window Snyder — Mon, 06 Aug 2007 17:50:01 +0000

Mike Shaver (Director of Ecosystem Development at Mozilla) handed his business card to Robert Hansen (RSnake) on Wednesday night at Black Hat. On it he wrote “ten f—ing days.” When I asked him about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only ten days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we’re among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly.

Well, whatever he meant, his statement has taken on a life of its own. Robert posted on his blog, and a bunch of news articles picked it up as a challenge.

This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure.

JavaScript fuzzer available

Window Snyder — Thu, 02 Aug 2007 19:20:04 +0000

Mike Shaver and I just finished presenting “Building and Breaking the Browser”at Blackhat today in Las Vegas. We discussed the methods and tools that Mozilla uses to secure the Firefox browser. These tools include a fuzzer for Javascript, which has led to the discovery and resolution of dozens of critical security bugs. Fuzzers are tools that generate a large amount of input in order to test the robustness of a piece of software and can be used to identify potential vulnerabilities.

This is the tool we discussed in our presentation, the first in a series of security tools that we intend to make publicly available.

https://bugzilla.mozilla.org/show_bug.cgi?id=jsfunfuzz

The responsible sharing of security tools is an important way to contribute to the overall health of the web. We worked with Microsoft, Apple, and Opera to reduce the possibility that this tool might adversely affect users of those browsers. All of these browser vendors reviewed the tool and let us know that they were okay with the release.

Off to Black Hat!

Window Snyder — Tue, 31 Jul 2007 04:34:59 +0000

I’m heading to Las Vegas tomorrow for the Black Hat Briefings. If you’re in town you can catch me speaking on Thursday morning on Building and Breaking the Browser.

You can also catch up with me Wednesday afternoon on the Future of Information Security panel or Thursday afternoon on the Ethics Challenge panel.

After you roll in from all the parties on Wednesday night, stop by Royal 55, Augustus Tower in Caesar’s Palace to have milk and cookies with Mozilla. It’s a super chill pajama party with some of the people who make Firefox. Pajamas not required. Stop by on your way to bed. We’ll be there 11pm to 2am and possibly later.

BaySec is tonight!

Window Snyder — Wed, 18 Jul 2007 21:38:00 +0000

If you are a security geek in the bay area, find your way to O’Niell’s on 3rd and King Street in San Francisco at 7pm to meet up at BaySec. I’ll be there to celebrate shipping Firefox 2.0.0.5. I may even have some Mozilla and Firefox goodies to give out. Say hi if you see me there.

Details here: http://www.sockpuppet.org/baysec/

Building and Breaking the Browser at Blackhat

Window Snyder — Mon, 04 Jun 2007 22:59:27 +0000

Mike Shaver and I will be speaking at Blackhat August 1-2, 2007 on Firefox Security. It looks like there will be a number of Mozilla folks in attendance. I hope to see some of you there.

Building and Breaking the Browser

Traditional software vendors have little interest in sharing the gory details of what is required to secure a large software project. Talking about security only draws a spotlight to what is generally considered a weakness. Mozilla is using openness and transparency to better secure its products and help other software projects do the same.

Mozilla has built and collaborated on tools to secure the Firefox Web browser and Thunderbird e-mail client, the first of which will be released at Blackhat Las Vegas 2007. These tools include protocol fuzzers for HTTP and FTP and a fuzzer for Javascript, which together have led to the discovery and resolution of dozens of critical security bugs. These tools may be useful to anyone developing or testing applications that implement or depend on these technologies.

Window Snyder and Mike Shaver will introduce these tools at BlackHat Las Vegas 2007 and discuss methods used to identify vulnerabilities in Firefox; plans for expanding the scope of Mozilla’s work on Web security, and how Mozilla’s security community uses openness and transparency to protect 100 million users around the world. Learn how to apply Mozilla’s tools and techniques to secure your own software, and get an early look at new security features for Firefox 3.