Mozilla's like "let's hide our security issues until they're exploited"

tuxman · September 5, 2015, 12:36am

We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type. As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication. We are reducing the number of users with privileged access and limiting what each privileged user can do. In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.

I really do hope you’re not serious here, Mozilla.

When there are security holes lying around for months and someone leaks the particular bug reports, the problem is not that someone got access to your bug tracker, the problem is that there are old unfixed security holes. Just because no one can see them does not make them less important. Can’t be so hard, given that you were able to fix them when you saw the first exploits.

Please don’t try to fool us.

noitidart · September 5, 2015, 6:28am

I think the goal is not to “wait till it’s exploited” but to hide it from the evil people that are looking for exploits to use on people. Especially based on that case there.

buluma_michael · September 5, 2015, 7:44am

Exactly, It’s standard for most security teams not to publish their exploits until they are fixed. You don’t want to open your doors to strangers before they know it’s open.

Yes, some do find it but this can be contained. No system is ever complete. It’s an eternal cycle.