Mozilla asked a court to order the FBI to disclose a vulnerability the agency has been using to hack the Tor browser, which is based on Mozilla’s Firefox code. Mozilla believes the same vulnerability could be used by bad actors to attack potentially hundreds of millions of users.
Mozilla seems to take issue especially with the fact that the judge has already ordered the disclosure of the vulnerability to the defense attorneys in a criminal case, which means the FBI has disclosed the vulnerability to a third-party before the vendor of the product itself. This could lead to many others finding out about the vulnerability before the company has a chance to fix it.
The company thinks that although the FBI targeted the Tor browser and not Firefox itself, the vulnerable code may be part of Firefox, as well. The Tor browser is written on top of the enterprise version of Firefox (ESR), so a majority of the code is shared between the two browsers.
Mozilla argued in a filed brief that the court should follow the industry best practices around vulnerability disclosures and order the FBI to disclose vulnerabilities to the vendors first.
“To protect the safety of Firefox users, and the integrity of the systems and networks that rely on Firefox, Mozilla requests that the Court order that the Government disclose the exploit to Mozilla at least 14 days before any disclosure to the Defendant, so Mozilla can analyze the vulnerability, create a fix, and update its products before the vulnerability can be used to compromise the security of its users’ systems by nefarious actors,” said Mozilla in a filing to the court.
The company also believes that it’s both the companies’ and the government’s responsibility to ensure the safety of online users, especially when a vulnerability can affect millions of users. Mozilla may have a point here, especially in light of the Vulnerability Equities Process (VEP), which at least in theory, the FBI should be following when discovering major vulnerabilities.
The VEP, which was created in 2010, and supposedly started being enforced in 2014, requires that the government reveal vulnerabilities to technology companies if those vulnerabilities can have a significant impact on users’ security. However, the FBI tends to dodge complying with the VEP policy and has tried to find loopholes around it in the past. The FBI will likely try to fight Mozilla’s request again, but it will be up to the judge to ultimately make a decision on this issue.