Opera Software is calling accusations made by Mozilla staffer Asa Dotzler regarding Opera’s security
disclosure policies, “dangerous and irresponsible.”
The issue at hand revolves around a pair of security vulnerabilities that
were recently discovered by Verisign’s iDefense division. Dotzler alleged
that since Opera did not immediately alert users that there was an update
available to fix critical flaws that Opera was in some way negligent.
Opera spokesman Thomas Ford explained that one of the vulnerabilities was
tagged “low impact” while the other was “moderate
“Consistent with our track record, we patch all vulnerabilities, regardless
of severity,” Ford told internetnews.com. “This has been our
philosophy since we first made a browser in 1995, and it will remain that
IDefense alerted Opera to the flaws on Nov. 16, 2006, and Opera began a
full investigation the following day. Ford explained that, as is standard
practice in the IT industry, a disclosure date was agreed upon by iDefense
and Opera. Since the timing occurred around the holiday break of Christmas
and the New Year, Opera agreed with iDefense to disclose on January 5, 2007.
Opera shipped Opera version 9.10 on Dec. 18, 2006, with the fixes
Mozilla’s Dotzler took issue with the fact that Opera did not originally
alert users to the 9.10 release in the changelog that it
included key security fixes. It’s a charge that Opera isn’t disputing.
“We accept that we should have made it clearer that 9.10 included security
upgrades,” Ford admitted. “We have rectified this in several places,
including the changelog to which you linked.
“We recognized that our internal reporting and communication process could
be improved and we have taken steps to ensure this does not happen again.”
Opera also disagrees strongly with the accusation made by Dotzler that Opera
downplayed the severity of risk for users.
“As a public-facing employee of the Mozilla Corporation, his comment is
incredibly reckless and disappointing,” Ford stated. “All vendors, including
Mozilla Corporation, may adjust the severity of a security vulnerability when
they disclose if they disagree with the finder’s assessment.”
The real issue when it comes to browser vulnerabilities is about the length
of time a user is actually at risk from real attacks. It’s a sentiment that
Dotzler himself noted in a blog post several days before his Opera comments. In the case of
the recent iDefense-discovered flaws, Ford contends that Opera users were
not at risk for a single day.
“We have a long and proud record of placing our users’ safety as our top
priority,” Ford said. “We will continue to do so and vigorously defend
ourselves against claims to the contrary. “