Recently there have been public reports of a security vulnerability in the Mozilla open source web browser and Internet client. Note that a fix for that particular vulnerability has now been checked into the Mozilla source tree, will be available in new Mozilla nightly builds, and will be included in the Mozilla 1.0 release. For further details on the vulnerability and the fix please see bug report 141061 in the Mozilla project's bug database, as well as the related bugs 141348, 141453 and 141551 [1]. On behalf of the Mozilla community we at mozilla.org thank all the people who participated in discovering, reporting, investigating, and fixing this bug.
We encourage people to report any and all bugs in Mozilla, including security-related bugs, to the Mozilla project. As a reminder for future bug reporters, the Mozilla project has a formal policy for handing reports of security vulnerabilities; this policy was created after extensive discussions between mozilla.org staff and the public Mozilla community. The main elements of this policy are as follows: * Anyone who believes they have found a Mozilla-related security vulnerability can and should report it by sending email to the address [EMAIL PROTECTED] * We may keep information in the Mozilla bug database about the vulnerability confidential for a limited period of time, during which time the vulnerability will be investigated and (if possible) a fix produced. * The reporter of the vulnerability is invited to work with Mozilla developers to investigate and fix the vulnerability. The bug reporter will be granted access to the confidential information in the Mozilla bug database relating to the vulnerability, and may at their discretion publicly disclose that information at any time. * Once disclosed, information in the Mozilla bug database relating to the vulnerability will be publicly available for viewing by any interested party. For more details, see the full policy document [2]; any questions about the policy should be directed to mozilla.org staff at [EMAIL PROTECTED] Note that vendors of Mozilla-based products may have their own policies and procedures relating to reports of security vulnerabilities; questions about those policies and procedures should be directed to those vendors. Public reports about the recent Mozilla vulnerability have also mentioned a "Bugs Bounty" program offered by Netscape. We applaud vendor efforts to provide appropriate recognition to those who report bugs. However note that the "Bugs Bounty" program and similar vendor-sponsored initiatives are independent of the public Mozilla project; mozilla.org does not oversee or control such programs, nor does mozilla.org operate its own such program. [1] http://bugzilla.mozilla.org/show_bug.cgi?id=141061 http://bugzilla.mozilla.org/show_bug.cgi?id=141348 http://bugzilla.mozilla.org/show_bug.cgi?id=141453 http://bugzilla.mozilla.org/show_bug.cgi?id=141551 [2] http://www.mozilla.org/projects/security/security-bugs-policy.html -- Frank Hecker [EMAIL PROTECTED]
