Mozilla commits to 10-day patch timelineBy Justin Mann
Update: Long story short, Mike Schaver's comments were not meant to be taken so literally and Mozilla was forced to issue an official statement saying that the 10-day patch timeline is not their policy.
Lately, there has been a splash of security updates that Firefox has received due to exploits found, and that prompted some rather bold words from Mozilla. On top of increasing their reach into the security sector and commenting on the slowness of IE updates, Mozilla has commented on their own ability to patch. This week, they have stated that they will not only give quick security updates, but assure them to come within 10 days of a bug's discovery.
There's a couple of catches. One, the vulnerability must be rated as critical - something that is open to interpretation, and what Secunia reports as critical may not earn the same tag by the Mozilla developers. Two, they are equating this to exploits reported "properly" - that is, silently, without notifying the public before they notify Mozilla:
Shaver's 10-day pledge applies to "critical" vulnerabilities, although there is no standard for such a rating, and different companies evaluate levels of risk in different ways. Another condition is that the vulnerability is disclosed responsibly, meaning Mozilla is notified of the issue before it is publicised.
That said, even though this is a bold claim to make, it does seem possible. As far as quality assurance goes, that may be a different story. Fixing a problem is often easier than making sure that fix doesn't create more problems, as Microsoft is well aware of.
No doubt we'll soon see if the Mozilla developers are up to this challenge.