{"id":9326,"date":"2016-05-11T16:29:02","date_gmt":"2016-05-11T23:29:02","guid":{"rendered":"https:\/\/blog.mozilla.org\/?p=9326"},"modified":"2016-05-13T08:30:02","modified_gmt":"2016-05-13T15:30:02","slug":"advanced-disclosure-needed-to-keep-users-secure","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/","title":{"rendered":"Advance Disclosure Needed to Keep Users Secure"},"content":{"rendered":"<p><a href=\"https:\/\/www.mozilla.org\/en-US\/about\/manifesto\/\">User security is paramount<\/a>. Vulnerabilities can weaken security and ultimately harm users. We want people who identify security vulnerabilities in our products to disclose them to us so we can fix them as soon as possible. That\u2019s why we were <a href=\"https:\/\/blog.mozilla.org\/press\/2004\/08\/mozilla-foundation-announces-security-bug-bounty-program\/\">one of the first companies to create a bug bounty<\/a> program and that\u2019s why we are taking action again &#8211; to get information that would allow us to fix a potential vulnerability before it is more widely disclosed.<\/p>\n<p>Today, we filed a <a href=\"https:\/\/blog.mozilla.org\/press\/files\/2016\/05\/Mozilla-Motion-to-Intervene-or-Appear-as-Amicus-Curiae-in-USA-vs-Jay-Michaud_5112016.pdf\">brief<\/a> in an ongoing criminal case asking the court to ensure that, if our code is implicated in a security vulnerability, that the government must disclose the vulnerability to us before it is disclosed to any other party. We aren\u2019t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure.<\/p>\n<p>The relevant issue in this case relates to a vulnerability allegedly exploited by the government in the Tor Browser. The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base. The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don\u2019t believe that this makes sense because it doesn\u2019t allow the vulnerability to be fixed before it is more widely disclosed.<\/p>\n<p>Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community. In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.<\/p>\n<p>Governments and technology companies both have a role to play in ensuring people\u2019s security online. Disclosing vulnerabilities to technology companies first, allows us to do our job to prevent users from being harmed and to make the Web more secure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>User security is paramount. Vulnerabilities can weaken security and ultimately harm users. We want people who identify security vulnerabilities in our products to disclose them to us so we can &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/\">Read more<\/a><\/p>\n","protected":false},"author":563,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Advance Disclosure Needed to Keep Users Secure - The Mozilla Blog (Archived)<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Denelle Dixon\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/\",\"url\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/\",\"name\":\"Advance Disclosure Needed to Keep Users Secure - The Mozilla Blog (Archived)\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#website\"},\"datePublished\":\"2016-05-11T23:29:02+00:00\",\"dateModified\":\"2016-05-13T15:30:02+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/a4c77c94853bf9dbb79a9a206322d6ec\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/blogarchive\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Advance Disclosure Needed to Keep Users Secure\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/blogarchive\/\",\"name\":\"The Mozilla Blog (Archived)\",\"description\":\"Dispatches from the Internet frontier.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/blogarchive\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/a4c77c94853bf9dbb79a9a206322d6ec\",\"name\":\"Denelle Dixon\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/image\/1720f6d7063c89117905d2c75f3b155a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4e1edda1af518a1659f0bae91f9fab03?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4e1edda1af518a1659f0bae91f9fab03?s=96&d=mm&r=g\",\"caption\":\"Denelle Dixon\"},\"description\":\"Denelle Dixon-Thayer is Chief Legal and Business Officer at Mozilla Corporation\",\"url\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/author\/ddixonmozilla-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Advance Disclosure Needed to Keep Users Secure - The Mozilla Blog (Archived)","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/","twitter_misc":{"Written by":"Denelle Dixon","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/","url":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/","name":"Advance Disclosure Needed to Keep Users Secure - The Mozilla Blog (Archived)","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/blogarchive\/#website"},"datePublished":"2016-05-11T23:29:02+00:00","dateModified":"2016-05-13T15:30:02+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/a4c77c94853bf9dbb79a9a206322d6ec"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2016\/05\/11\/advanced-disclosure-needed-to-keep-users-secure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/blogarchive\/"},{"@type":"ListItem","position":2,"name":"Advance Disclosure Needed to Keep Users Secure"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/blogarchive\/#website","url":"https:\/\/blog.mozilla.org\/blogarchive\/","name":"The Mozilla Blog (Archived)","description":"Dispatches from the Internet frontier.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/blogarchive\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/a4c77c94853bf9dbb79a9a206322d6ec","name":"Denelle Dixon","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/image\/1720f6d7063c89117905d2c75f3b155a","url":"https:\/\/secure.gravatar.com\/avatar\/4e1edda1af518a1659f0bae91f9fab03?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4e1edda1af518a1659f0bae91f9fab03?s=96&d=mm&r=g","caption":"Denelle Dixon"},"description":"Denelle Dixon-Thayer is Chief Legal and Business Officer at Mozilla Corporation","url":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/author\/ddixonmozilla-com\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/posts\/9326"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/users\/563"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/comments?post=9326"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/posts\/9326\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/media?parent=9326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/categories?post=9326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/tags?post=9326"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/coauthors?post=9326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}