Mozilla can deploy a fix for any security bug reported under responsible disclosure in “Ten Fucking Days”, according to Mike Shaver.
RSnake, the recipient of this claim written black on white over a business card, sounds quite skeptic.
But I can see it happening.
I’ve seen many security patches which couldn’t wait (i.e. cats out of the bag), being developed and reviewed in 3-4 days.
In a famous recent case, even in 2 days.
Counting the Q/A needed before deploying an automatic update, 10 days is a feasible goal.
The key word here is can’t wait: responsible disclosure, according to some schools of thought at least, may weaken the “can’t wait” perception, and the management of other bugs in the past may be seen as supporting this theory.
We’ll see if Window Snyder is going to seize all the business cards from Shaver’s pockets, or if “a certain someone will be working remotely from an undisclosed location for a few weeks“.
But this public statement, no matter how much bold, is a good thing, because I know Mozilla can really live to this promise.