I’ll do a more thorough writeup of the craziness that is Blackhat, but this I thought should go out ahead of all the other stuff. I don’t have a lot of time so I’ll try to make this story short. Two days ago after Jeremiah and my talk (you can get the slides off of the WhiteHat site) a number of people from Mozilla came up and said they wanted to talk more about the issues we were finding and other suggestions we might have (I’m going to write this part up more thoroughly later in a separate post as well). We were also invited to the Mozilla “milk and cookies pajama party” which is pretty much exactly as it sounds.

We showed up, and nearly immediately I was surrounded by the bulk of the Mozilla QA and security team that was attending Blackhat. They asked me lots of questions, and gave me lots of info. It was a pretty equitable trade of information. Clearly, they acknowledge that they need help from the community but they also feel confident that once things come to their attention it’s simply a matter of days to close their holes. They said the recent rollouts were actually slower than they would have liked them to be, even though they were only a week and a half apart. Further, they said that they could roll out any critical patches within 10 days. Not one to let challenges go untested I called BS.

At this point Mike Shaver threw down the gauntlet. He gave me his business card with a hand written note on it, laying his claim on the line. The claim being - with responsible disclosure Mozilla can patch and deploy any critical severity holes within “Ten Fucking Days”:

I told him I would post his card - and he didn’t flinch. No, he wasn’t drunk. He’s serious. I’ve always been a fan of Mozilla and Firefox however this is a pretty bold claim for a company of any shape or size. I shopped the business card around to some various people while I was at the Microsoft party the next day to get people’s reaction. The consensus was that it was funny, very difficult to achieve and in one case, one of the head guys of security at Amazon simply doubted that the patches would be of sufficient quality. I’m not going to comment on my personal feelings on this matter except to say that I’d love to see Mozilla back up their promise.