Hello,
Previously, when I was more involved in the Mozilla Project, and when I was working for the Mozilla Corporation, we immensely appreciated responsible disclosure of security flaw from security researchers (and others). There were at least a couple of instances I can remember around this time of the year (BlackHat, DefCon conferences) when security researchers would responsibly disclose prior to giving a talk at a security conference about the hack they had devised. This allowed us to fix the root problem before or at the same time as their public disclosure at the conference. In fact, there were times we'd coordinate with other vendors (Microsoft, Opera, Apple) who had the same issues.
I was stricken by how important this methodology was after attending one DefCon talk in which a physical key hacker had devised a method to break into the most robust and "impossible to hack" key lock in the world. He had disclosed this to the company over a year in advance of his talk to give them time to make the real, physical world changes needed: devising a new, more advanced lock; changing their manufacturing procedures; alerting their customers; upgrading as many customers as possible to the new locks. He even worked with them to ensure he could discuss his hack publicly without doing too much harm to the company. (I think it was along the lines of... "Now that you've implemented a fix for a good percentage of your customers, would it immensely hurt your company to give a talk now?")
Thus, I was very saddened to read this article in Forbes.
http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/
>From page one:
At the Black Hat security conference Tuesday evening, a Mozilla software
developer and 24-year old security researcher named Cody Brocious plans
to present a pair of vulnerabilities he’s discovered in hotel room locks
from the manufacturer Onity, whose devices are installed on the doors of
between four and five million hotel rooms around the world according to
the company’s figures.
So far so good. I imagine Mozilla encourages these sorts of activities as they help in all aspects of security research. Then I went to page two:
In a move that may dismay security practitioners, Brocious never
contacted Onity or its parent company United Technologies Corporation to
tell the firm about its security flaws, and doesn’t plan to ahead of his
talk. But he says that’s because there’s little the company could do:
the locks can’t be simply upgraded with new firmware to fix the problem.
New circuitboards will have to be installed in every affected lock, a
logistical nightmare if millions of locks prove to be vulnerable.
This makes me sad. It's not clear to me that he actually knows how many locks are vulnerable ("_if_ millions of locks...") or if Onity could actually get a fix out there. It's even possible that there *is* something Onity can do, but they have no way to know prior to disclosure. Later in the article he says that this was a better way to get hotels aware of the situation. Having not contacted Onity, how can he know what that company might do as far as disclosure to its customers?
My question is this:
If Mozilla appreciates responsible disclosure, it should definitely expect the same from its employees. Does a responsible disclosure policy exist at Mozilla?
-Sam