Mozilla says security researchers wield too much power

Posted by Frederick Roberts

San Jose (CA) - Mozilla’s security chief Window Snyder has said that software developers are at the mercy of bug hunters where disclosure of critical flaws in programs is concerned. She is calling on security researchers to follow a universal responsible bug disclosure policy which would allow software developers time to fix a bug before it is made known to the public and malicious hackers alike.

“The researcher has all the power,” Snyder said at a panel discussion during the ShmooCon hacker event on Saturday. "They control when they disclose it, and they control the idea whether or not the vendor responds in time...I would appreciate 30 days, but I will take what I can get."

The debate on disclosure of bugs has raged for years; on the one hand responsible vendors want time to fix bugs before they are made known to the world. On the other hand responsible security researchers can be frustrated when vendors sit on an unannounced bug which would be too costly to fix without a very good reason (like a lot of hackers knowing about it.)