1. 20
  1.  

  2. 3

    Respectfully, is that something an org can brag about?

    The time-to-patch metric heavily depends on the nature of the bug to patch.

    I don’t know the complexity of fixing these two vulns, surely fixing things fast is something to be proud of, but if they don’t want people pointing fingers at Mozilla when a bug stays more than one week in the backlog, don’t brag about it when it doesn’t in the first place.

    1. 18

      Assuming that the title refers to fixing and successfully releasing a bugfix, a turnaround of less than 24 hours is a huge accomplishment for something like a browser. Don’t forget that a single CI run can take several hours, careful release management/canarying is required, and it takes time to measure crash rates to make sure you haven’t broken anything. The 24 hours is more a measure of the Firefox release pipeline than the developer fix time; it’s also a measure of its availability and reliability.

      1. 10

        This. I remember a time when getting a release like this out took longer than a week. I think we’ve been able to do it this fast for a few years now, so still not that impressive.

      2. 6

        As far as I can tell, the org isn’t bragging; the “less than 24h” boast is not present on the security advisory.

        1. 1

          To be fair, you’re right.

        2. 2

          also the bugs are not viewable - even if logging in

          so its hard to get any context on this

          1. 2

            Is it possible to check the revisions between both versions, and they do not seem so trivial.

            These are the revisions (without the one that blocks some extensions):
            https://hg.mozilla.org/mozilla-unified/rev/e8e770918af7
            https://hg.mozilla.org/mozilla-unified/rev/eebf74de1376
            https://hg.mozilla.org/mozilla-unified/rev/662e97c69103

            1. 1

              Well, sorta-the-same but with the context is them fixing pwn2own security vulnerabilties with less than 24 hours 12 months ago

              https://hacks.mozilla.org/2018/03/shipping-a-security-update-of-firefox-in-less-than-a-day/

            2. 2

              Respectfully, is that something an org can brag about?

              I always assume it’s P.R. stunt. Double true if the product is in a memory-unsafe language without lots of automated tooling to catch vulnerabilities before they ship. Stepping back from that default, Mozilla is also branding themselves on privacy. This fits into that, too.

              EDIT: Other comments indicate the 24 hrs part might be editorializing. If so, I stand by the claim as a general case for “we patched fast after unsafe practices = good for PR.” The efforts that led to it might have been sincere.

            3. 1

              I can’t speak for my co-workers who compete and win pwn2own, but this seems like some seriously odd posturing… If the vuln is something like an overflow or a use after free it literally might be as easy as changing one character or line. Without context it’s relatively meaningless and honestly makes them seem more petty in my eyes.

              1. 9

                Pretty sure they mean fixed, built, validated and shipped across all channels and platforms.

                1. 6

                  Nothing on the actual page linked has the “fixed in less than 24h” language; I think that may have been editorializing by the OP. The linked page is just a regular old security advisory.

                  1. 1

                    I agree, I guess this thread may need a title change.