From the post \”Note: this post is expressing personal opinion. The official policy is here.\”

http://my.opera.com/hallvors/blog/2007/07/24/opera-and-security-disclosure?cid=3217403

“That’s the policy.”

Only the dim or obtuse would fail to understand this situation given the written policy, the public history of disclosed bugs, and the explicit confirmation from Opera employees. The only alternative to this obviously correct understanding would be insulting to Opera engineers — that Opera is incapable of finding security bugs in software which no doubt has security bugs. I’m happy to continue to think highly of Opera engineers and accept their explanation that they do find and fix lots of security issues, they just don’t tell their users about most of it.

- A

Where is this policy?

A link to an official policy document is required. No blogs allowed.

http://operawatch.com/news/2007/01/interview-with-firefox-founder-and-creator-blake-ross.html

Now, your claim that Opera devs don’t give credit for all the security holes they find using the tool is nothing but hideous. Opera have always credited those who found security holes, and they did credit the one they found now to the fuzzer tool of your forge.

“So, you can trust Opera when they say they only found one but my guess is they either found more than one or they didn’t do a lot of testing with the tool.” Indeed I trust them that they credit you guys for all the holes - one in total - they found with the tool. They didn’t do a lot of testing? Go ahead, run the fuzzer and find crashers with 9.23 - I’ll be happy if you make my browser of choice more stable. Note that quite a few weekly-users did the same, and the amount of new crashers seems to have been minimal, given the total number of crashers found.

Although I totally agree with you that internally found security holes should at least be mentioned in changelogs as “found and fixed X security holes”, your aggressiveness on this matter is really disturbing, and doesn’t really help your cause.

WildEnte, how do you know that Opera hasn’t found 500 holes using that tool. You don’t. Opera has a stated Security Policy that says they will not disclose security holes they find internally and mentioning this one bug they found using our tool is anomalous. According to the Opera Security Policy, they don’t have to and won’t tell you everything they find and fix and Mozilla would never be so irresponsible to talk about bugs we found in Opera using that tool. So, you can trust Opera when they say they only found one but my guess is they either found more than one or they didn’t do a lot of testing with the tool.

Opera could clear that up by changing their policy to disclosing all fixed security bugs, including ones they find, and then you’d have reason to trust them on an issue like this. But as that policy stands today, a thinking person would have to assume that they’re not telling you everything they found and fixed.

Marol, learn to read secunia reports. You got the stats wrong (and in Mozilla’s favor, so I’m not calling you out for partisan reasons — just to let you know that you’re arguing from a point of ignorance.

Cassidy and eh eh eh, I’m not and never have been an engineer so I don’t, haven’t, and won’t ever be fixing security bugs. That makes your suggestion either deeply uninformed or simply stupid.

Now, to get back to the original post I made and in case it wasn’t clear from the comments above and my responses, not one of you have addressed my claim about Opera’s dishonest reply to that question.

Are you unable to respond to that? Do you think it was a honest and forthright response? Do you think it had nothing to do with spinning the issue? Seriously. How about defending Opera’s response instead of changing the subject.

- A

http://www.opera.com/docs/changelogs/windows/923/

In Firefox, the same tool found 280 crashers, about two dozen of which were believed to be security relevant.

http://www.squarefree.com/2007/08/02/introducing-jsfunfuzz/

Note that I understand that the tool was written specifically to test Firefox, and that a direct comparison a la “Opera is 24 times more secure than Firefox” is BS. But I think it shows that Opera is a pretty secure piece of software.

I would think that for the version jump from 9.22 to 9.23, the answer to your question “how many security holes were found internally” is “zero”. But does that make Opera’s devs good or bad?

Fix your own security before bitching about Opera’s, Asa.

Vendor Opera Software
Unpatched 0% (0 of 8 Secunia advisories)

Vendor Mozilla Organization
Unpatched 43% (6 of 14 Secunia advisories)

We aim to never let a security issue stay unpatched. - And as we can see they manage to achieve this.

By the way, what about fixing all issues in Firefox? And of course, Firefox devs never try to prevent full disclosure of security holes prior to a patch release. Never.

Not that this is just normal behavior.

>According to secunia.org, Opera 9 had two known security
>vulnerabilities in 2006, both were patched. In 2006, Opera
>8 had two reported vulnerabilities, both were patched.

OK, but how about answering the question How many security issues have you patched, not how many security issues have you been forced to acknowledge.

This once again goes to the fundamental dishonesty that secrecy and security through obscurity makes so convenient. There is no user harm by reporting the actual number (and not disclosing the details of) security issues fixed in a particular release. Yet,because there is no mechanism for real accountability, it becomes not just easy, but de facto policy to mislead users.

A response that would not be misleading would go something like this: “We don’t disclose the number of security bugs we fix.”

- A