How can Mozilla be open about security issues without exposing users to additional risk?
Being open about security issues means that users have the information they need to understand their risk, that the community can contribute to the security process, and that other software development projects can benefit from our experiences. Unfortunately, sharing the details of security issues broadly before they are patched could expose users to risk. The balance we have come up with is to work with a group of people that represent the interests of the entire community who can give feedback, suggestions, and help to fix security issues.
The Mozilla Security Group is a team of people from the community, including employees, individual contributors, and other vendors who work on securing Mozilla projects. This group has been in place since 2002, is older than Mozilla Corporation, and as of today there are 93 people in the group. The team is self-organizing. New members are nominated by existing members through recognition of valuable contributions to security efforts. This system is democratic and is similar to the method used to assign rights to add code to Mozilla projects for new contributors.
This team enables us to leverage the knowledge of the community, be open about security issues, but also protect our users until we are able to ship a fix.