A new release of Firefox is available now. Firefox 1.0.2 contains several security fixes over the 1.0 version, most recently a potential GIF parsing flaw that hasn’t been exploited yet, but potentially could be. Being Open Source means that the code is viewed by many developers and errors tend to be found before they are exploited. Mozilla also runs a $500 bug bounty where they offer money to people that find flaws in the code. These tactics are to ensure that any flaws in the code are found and fixed before anyone has a chance to exploit them. In some ways, Mozilla and OSS code is in a unique position here. By asking people to find flaws, rather then punishing people that look for them (as has happened in a couple of cases with commercial software lately, the latest being Sybase) you get the opportunity to find and fix bugs as quickly as is possible. By punishing security firms for finding flaws, you ensure that the only people looking for flaws in your software will be those that wish to exploit them (called Black hats). And they don’t tell the company that owns the software of the flaws, the owner generally finds out by examining exploit code after it is released. Hardly a good model for security. This quote by David Litchfield of NGSS best explains the point I’m making.
“Let’s face it, the details are there to anyone with a disassembler, anyway. This kind of legal threat achieves nothing other than to make legit researchers fearful about being sued if they find and publish security issuesâ€â€Âeven if they do so in a responsible manner,” Litchfield wrote. “In such a climate, security research will be driven undergroundâ€â€Âwhich is where the ‘good guys’ really don’t want to be.”
