[wp-hackers] Development Process

Robert Deaton false.hopes at gmail.com
Thu Jul 27 15:37:17 GMT 2006


On 7/27/06, Doug Stewart <dstewart at atl.lmco.com> wrote:
> Robert Deaton wrote:
> That royally pissed off Microsoft, yet Firefox and Opera reacted quickly
> and fixed issues raised by Metasploit.  Let's be Firefox, not Microsoft
> in our approach to these things.  Perhaps we should take a look at their
> methodologies for addressing security issues...

Now that's more of the response I was hoping to see.

Firefox itself has both a security mailing list and their bugzilla
available for reporting and discussiong security issues. Both are open
to the public. Personally, I like the idea of a mailing list, but one
that is closed to invitation only (and maybe with archives that are
updated after each release for the public to see the discussion that
took place).

I know the first argument is going to be "Firefox's security lists are
open to the public, why shouldn't ours be?" First and foremost, it
would be very difficult to target a single person running Firefox to
infect them in any way. Second, its not just the security of our users
we're putting at risk, we're putting shared hosting companies at risk
as well. Servers are more popular targets for a certain range of
malicious black hats because they have the bandwidth that infecting
home machines through a browser does not. And last but not least,
Firefox can update itself when a new security fix is available, so to
them, who cares if the whole world sees as long as its resolved within
a short enough time?
-- 
--Robert Deaton


More information about the wp-hackers mailing list