A couple of days ago, Secunia published their Secunia 2008 Report, and one of their tables garnered quite a bit of attention with respect to Mozilla patching quickly:

I wrote a more in-depth review of the calculated Mozilla patching speed in from Mozilla Patches Fastest. NOT! which you should read.   For those of you who want the concise version, here is a quick bit of data.

The Secunia Report specifically limited scope to vulnerabilities disclosed during 2008.  (which is okay to do, unless you want to draw conclusions about overall vendor patching speed.)  This excludes any issues disclosed before 2008 and fixed in 2008 (or not fixed at all).

So here is my question for those that are really interested in answer the question of how quickly Mozilla fixes vulnerabilities.  What is the average if you include these below (feel free to validate them yourselves to assure yourself that they apply).  Also note that I am only listing ones rated High severity in the NVD or Critical in a Mozilla advisory – there were several more rated Medium severity that I ignored.  I also limited my search to Firefox 2 vulnerabilities.

I’m not going to do the math, but if you include these six Firefox 2 issues in with the three from the Secunia report, I’m pretty sure the number will be closer to 352 than it will be to zero.

Of course, it may be that some of these issues above were silently fixed by Mozilla.  I wouldn’t mind at all if they came out and confirmed my earlier analysis that they may be doing this.  It would bring the average down a little.

Mozilla has posted their own thoughts on the Secunia report at: Beware the Security Metric.

Please do read their viewpoint as well, so you have all of the input to draw your own conclusions.  Given the above six examples (and my findings in this article), I personally find it ironic that they say this:

Mozilla discloses and releases bulletins for all security issues fixed in Firefox, regardless of how they were discovered. Unlike other vendors that only disclose issues reported by external independent parties, but not by internal developers, QA or security contractors.