It all started during the Black Hat security conference last week when Mike Shaver, Mozilla Director of Ecosystem Development handed his business card to Robert Hansen (a.k.a. RSnake) adding “Ten F***ing Days” to it.

The ten days refer to the time it took Mozilla to patch and update a recent security vulnerability addressed in the last Firefox 2.0.0.6. which is without a doubt, an important security achievement.

There have been however different interpretations of what was said or what it meant, specially once it made its way through several media outlets and digg’s front page.
This is Hansen’s version of what happened: “[T]hey said that they could roll out any critical patches within 10 days. Not one to let challenges go untested I called BS. At this point Mike Shaver threw down the gauntlet. He gave me his business card with a hand written note on it, laying his claim on the line. The claim being - with responsible disclosure Mozilla can patch and deploy any critical severity holes within “Ten [F***ing] Days””. Nice!

And this is Mike’s version: “I was intending to express my confidence in our ability to turn around a fix quickly if we needed to, by giving him a sort of “admit one” ticket for a disclosure that he thought needed an especially fast response due to extreme risk or some such. That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities.”

I really didn’t pay attention to this when I read Hansen’s post last week. I know for sure there’s no way anyone can guarantee a security patch time frame for any software, and the fact that this happened during Mozilla’s pajama party and not one of Black Hat’s briefing or workshop, made its informality out of question.

But since people is speculating on whether this is a Mozilla challenge, a Mozilla policy or just a joke, Mozilla Chief Security Office, Window Snyder, has issued an official statement on the matter: “This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe.”

That’s it. Party is over. Nothing to see here. But I learned a more colorful way to talk about Mozilla security. In the end, I prefer security patches “as soon as f***ing possible” instead of “the second f***ing Tuesday of the month”.