Threat Management, Threat Intelligence

Judge denies request to compel FBI to disclose vulnerability to Mozilla

A Federal judge denied a motion filed by Mozilla last week requesting that the FBI privately disclose a security vulnerability that was used in a child pornography criminal case.

Mozilla believes the Tor vulnerability that the agency used to pierce the anonymity of Tor users and identify viewers of a child pornography site likely also affects the Firefox browser.

“Absent great care, the security of millions of individuals using Mozilla's Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well,” Mozilla's briefing stated.

“We aren't taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure,” Mozilla Corporation chief legal and business officer Denelle Dixon-Thayer wrote in a corporate blog post when the motion was filed last week. “The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don't believe that this makes sense because it doesn't allow the vulnerability to be fixed before it is more widely disclosed.”

UPDATE: On Tuesday, Mozilla Corporation issued the following reaction to the ruling, from chief legal and business officer Denelle Dixon-Thayer:

“We will continue pressing the point with the government that the safest thing to do for user security is to disclose the vulnerability and allow it to be fixed. We want people who identify security vulnerabilities in our products to disclose them to us, and we believe the default position for any government agency should be that vulnerabilities will be disclosed to the entity that can fix them.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.