I don’t think anyone here is saying you should bury the research. We all know that security through obscurity is a fallacy. However, asking you to delay publishing an exploit for a day or two is certainly not unreasonable. It helps protect the users more than the author.

Premature publishing of explicit exploit information is one of the ways that “zero-day” problems become widespread. As a user of Firebug I’d rather you had talked to Joe first. Actually as a user of any software I’d rather you give it’s author a chance to patch before publishing exploits.

If you feel you must post immediately, post the information that the vulnerability exists and some basic details without the full “how-to” and follow up later with the full disclosure.

There are certainly times where it’s appropriate to use disclosure as a means to force action, but give the author a reasonable chance to respond. It’s better for all of us.

James.

Previously Thor Larholm said:

I don’t think there is anything extreme about publishing a vulnerability when you find it. sure, Joe could have been away for the Easter holiday visiting his family and therefor not been able to patch it immediately, but I fail to see how that is my concern. In that regards I have treated him no worse or better than I have treated Microsoft, Mozilla or Valve in the past.

This is research that pdp and I have independently performed. We’re not employees of Microsoft or Firebug, instead we are altruistically researching and publishing the very things that others are also researching – but keeping private.

If you want to detect Firebug version without going into Firefox, but still being local, you can just read the install.rdf file from Firebug extension folder which is under the Firefox profile folder.

You put software users unnecessarily at risk. That’s what’s wrong with it.

“I fail to see how that is my concern”

Yep, there you go.

You are not “altruistically researching” anything when you don’t consider what’s best for the end users?

There aren’t just two parties involved in these bug reports — the software developer and the security researcher — there is a third group with interests at stake: the thousands, if not millions of end users who are vulnerable.

You’re right that you don’t owe Joe Hewitt anything (though I would opine it would be nice if you extended common courtesy). And you also deserve credit for finding this security hole.

But you do a huge disservice to all the everyday users like me when you dismiss the possibility that “Joe could have been away for the Easter holiday visiting his family and therefor not been able to patch it immediately”.

This is research that pdp and I have independently performed. We’re not employees of Microsoft or Firebug, instead we are altruistically researching and publishing the very things that others are also researching – but keeping private.

It seems to me that saying “you have 48 hours to patch, before we publicize the exploit” would be just as effective in making people listen.

We often need to take extreme routes to make a point otherwise nobody would listen. However, I knew that Joe Hewitt will patch Firebug very quickly because the extension has one of the cleanest source code structures I have ever seen.

Joe Hewitt says:
April 6th, 2007 at 3:44

I have fixed this issue and and released 1.04.

As you suggested, I now escape all text before inserting it into HTML, rather than leaving it up to the caller. I’ve also added support for disabling file: urls.

I hope there aren’t any more vulnerabilities to be found, but if there are, please give me a day to patch it before you publish. I do appreciate you taking the time to make Firebug more secure, but it’s better for everyone to have the patch surface before the exploit.

It is a good think that Firefox has an automatic update system, so every Firebug user should be secured within a few days.

No. Upgrade.

pdp:

Why would you not have contacted the extension creator directly and waited a day for him to patch it? This seems irresponsible.