Response (Score 1)

I'm the non-crypto security module owner for mozilla.org. I appreciate all the comments that people have posted. I'll try to respond to some of them. Note that I'm not speaking as a representative of Netscape, just as a module owner.

We'll be hashing out a policy for security bugs on netscape.public.mozilla.security. Mike Shaver has already posted a proposal. We've never considered keeping the set of people that can see security bugs limited to Netscape, nor have we considered keeping the security bugs private indefinitely.

Note that security bugs that have been fixed are *already* available for anyone to view. This query shows all the security bugs I've fixed, which includes some exploits and some implementation bugs. The only issue revolves around bugs that are known, but not widely known, and not yet fixed and distributed.

One thing to keep in mind: In my experience, fixing security bugs isn't hard, it's finding the bugs in the first place. So we don't need a lot of eyes on the bug to get a fix. Instead we need a lot of eyes on the source to find security problems.

So if you'd like to help prove that open source increases security, come look for security bugs in mozilla. Mail me if you'd like to help.

(posted with mozilla)