from the because-vulnerabilities-want-to-be-free dept.
Mozilla's lawyers have argued that the FBI should disclose a vulnerability in the Tor Browser that could affect other versions of Firefox:
Mozilla seems to take issue especially with the fact that the judge has already ordered the disclosure of the vulnerability to the defense attorneys in a criminal case, which means the FBI has disclosed the vulnerability to a third-party before the vendor of the product itself. This could lead to many others finding out about the vulnerability before the company has a chance to fix it.
The company thinks that although the FBI targeted the Tor browser and not Firefox itself, the vulnerable code may be part of Firefox, as well. The Tor browser is written on top of the enterprise version of Firefox (ESR), so a majority of the code is shared between the two browsers.
Mozilla argued in a filed brief that the court should follow the industry best practices around vulnerability disclosures and order the FBI to disclose vulnerabilities to the vendors first.
Also at The Intercept .
(Score: 3, Interesting) by Scruffy Beard 2 on Saturday May 14 2016, @12:16PM
Industry best practices is not the same as "required".
Disclosing vulnerabilities you find to the vendor is polite, but not a requirement.
If the vendor is really worried about it, maybe they should fix long-standing bugs (like tables not being able to print across multiple pages) rather than trying to imitate Chrome.
(Score: 5, Insightful) by Gravis on Saturday May 14 2016, @12:35PM
i absolutely agree. however, when you have an entity in position of authority like the FBI withholding a vulnerability it could easily trigger other people to think, "if the FBI doesn't, why should I?" and then go on to sell the information to the highest bidder or release the info at a blackhat conference where it will still be a zero-day exploit. leading by example (good or bad) has repercussions even if you didn't know you were leading at all.
(Score: 2) by butthurt on Sunday May 15 2016, @12:13AM
The name notwithstanding, the Black Hat [blackhat.com] conferences admit anyone who can pay the admission fee--not just black hats. Are there conferences where only black hats are welcome?
(Score: 1, Touché) by Anonymous Coward on Saturday May 14 2016, @04:06PM
YEAH! Because printing is crucial these days and much more important than security vulnerability!
(Score: 2) by butthurt on Sunday May 15 2016, @12:45AM
The Mozilla Foundation pays $500 to $7500 per bug [mozilla.org] (depending on the severity) for disclosure of security bugs and have paid out $1.6 million altogether. If they were to increase that amount, they'd have more people looking for bugs. Potentially, bugs used by the FBI and their ilk could be discovered independently by people working on behalf of the foundation. That may even have happened with this particular bug: perhaps it's been fixed but the FBI chooses not to disclose it due to contractual obligations, as a way of discouraging people from using Tor Browser, or out of a habit of not revealing sources and methods.
(Score: 0) by Anonymous Coward on Sunday May 15 2016, @07:40AM
FBI is a taxpayer funded surveillance disaster that should have its budget cut in half. It would take all of 5 minutes for the FBI to reverse course and send the bugs to project maintainers. Remaining an enemy of the people will be more trouble in the long run.