Mozilla leaves Opera users to the wolves

Firefox team gives Opera one day to fix security hole

Personally, this makes me a bit mad.

As John Leyden at The Register reports, Opera Software, which makes my beloved web browser, Opera, is miffed at Mozilla because they discovered a problem affecting their own Firefox software as well as Opera’s, fixed the hole, told Opera, and then announced the hole to the public one day later.

Opera’s Santambrogio tells it like this:

Mozilla notified us of one security issue ( :smile: ) the day before they published their public advisory ( :worried: ). They did not wait for us to come back with an ETA for a fix: they kept their bug reports containing the details of the exploits closed to the public for a few days, and now opened most of them to everybody ( awww ).

Opera is as always committed to not only protecting its users, but to making the Web a safe place. We believe in responsible disclosure of vulnerabilities affecting several vendors.

This is a big deal because it’s industry-standard behavior to give software manufacturers anywhere from months to over a year (*cough* Internet Explorer issues *cough*) to fix a security problem in their software after you warn them about it. A day is unheard-of. Only after a long time or after they’ve fixed it does it become ethical to tell the public. Why? Because announcing a problem before the vendor fixed it puts users at risk.

Opera and Mozilla are similar in that they work hard for open standards and the future of the Web. They’re both underdogs in the fight against MSIE and a closed web. For Mozilla to treat Opera and Opera’s users (like me!) in this manner is pretty rude and thoughtless. Especially given all that Opera has done for the industry. How many of Firefox’s best features and extensions were directly inspired by Opera? (Answer: Very, very many.)

I don’t mean to rant, and it’s my sincere hope that the Mozilla people made an honest mistake by releasing this information, but I’m personally offended that Mozilla doesn’t seem to care about my security unless I’m using their products.

February 18th, 2008. (Updated: February 18, 2008 at 4:03pm.)
Alan Hogan (@alanhogan).  Contact · About