Mozilla

Symantec Security Report

March 14th, 2006

I’ve been following the news reports that Symantec has decided to change the way it counts security threats for browsers. Symantec is moving from a system which counted only vendor-acknolwedged problems to two categories. One is vendor-acknowledged and one is both acknowledged and not-acknowledged.

I want to applaud Symantec for making this change and for noting that this is a better methodology. The new method is better because it reports serious problems whether or not the vendor has acknowledged them. The information citizens get should not be so dependent on what the software vendor chooses to tell them, so this is a good step.

The new method is also better because it removes an insidious (and I’m sure absolutely unintended) side effect of rewarding software vendors for not acknowledging problems. Acknowledging problems is hard enough in any setting — for companies, for people, for most organizations. Symantec’s new system removes this unintentional public relations reward for not acknowledging problems.

The Mozilla project creates its own internal incentives for acknowledging security issues in a timely way to protect consumers. We do this through our community and our open source development process. We open our code to people who are not employees. By doing so we make sure that we have independent experts involved in improving Mozilla products and acting as consumer advocatees. These experts monitor our performance constantly and provide an expert voice in getting security information from the Mozilla project to our user base.

Security in the Internet era is a complex, constant process. No one is perfect today, and no one will be perfect tomorrow. Internet security will be a hard problem requiring vigilance for a long time. Protecting consumers over the long run requires a software vendor to have appropriate motivations, effective policies and develpment methods, and of course, good results. In this setting a strong, open process with built-in consumer protections is critical.

We’ve pioneered such a process and we see its results in our products.

Sorry, comments are closed.

Skip past the sidebar