Mozilla is taking legal action to find out whether its code was affected during an FBI investigation into Tor, the private browser that shares a lot of Firefox code.
Mozilla is concerned that the FBI has found a vulnerability that it will not disclose, and wants to know what it is so that it can apply a fix. The FBI has not helped out, so the software company has taken its case to the courts.
"User security is paramount. Vulnerabilities can weaken security and ultimately harm users. We want people who identify security vulnerabilities in our products to disclose them to us so we can fix them as soon as possible," said Mozilla lawyer Denelle Dixon-Thayer in a blog post as she explained that this is not a political action.
"Today, we filed a brief in an ongoing criminal case asking the court to ensure that, if our code is implicated in a security vulnerability, the government must disclose the vulnerability to us before it is disclosed to any other party.
"We aren't taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure."
The situation arose after an FBI investigation into a Tor-based child abuse site. The site was closed down, and the FBI reportedly installed malware to trace the users.
This suggests that the FBI has a decent way into the software, which raises concerns for Mozilla.
"The relevant issue in this case relates to a vulnerability allegedly exploited by the government in the Tor Browser," said Dixon-Thayer.
"The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defence team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser.
"At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base.
"The judge in this case ordered the government to disclose the vulnerability to the defence team but not to any of the entities that could actually fix the vulnerability. We don't believe that this makes sense because it doesn't allow the vulnerability to be fixed before it is more widely disclosed."
Mozilla would like the FBI to follow the same disclosure procedures as the technology industry and do the decent thing by letting the company know as soon as possible.
"Court-ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community," she said.
"In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.
"Governments and technology companies both have a role to play in ensuring people's security online. Disclosing vulnerabilities to technology companies first allows us to do our job to prevent users being harmed and to make the web more secure."
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers