Mozilla can deploy a fix for any security bug reported under responsible disclosure in "Ten Fucking Days", according to Mike Shaver.
RSnake, the recipient of this claim written black on white over a business card, sounds quite skeptic.
But I can see it happening.
I've seen many security patches which couldn't wait (i.e. cats out of the bag), being developed and reviewed in 3-4 days.
In a famous recent case, even in 2 days.
Counting the Q/A needed before deploying an automatic update, 10 days is a feasible goal.
