Opera did not respond to security vulnerability?

Comments have been popping up in forums and blogs about the claim that Opera never responded to the reporter of the Cross Domain Charset Inheritance Vulnerability:

Unfortunately neither Microsoft nor Opera were interested in the
vulnerability. Opera did not react at all on our bug report and
Microsoft just sent a nonsense mail to us, claiming that we had
disclosed this already to the public and that they like getting
advance notice.

The person who reported this to us was in fact contacted after he had reported the issue to us and before the vulnerability was disclosed (this is logged in our internal systems so that we can verify that we have followed up on important things). Security vulnerabilities are taken very seriously by Opera Software, and people who find flaws and report them to us will be contacted to coordinate fixes and disclosure of the vulnerabilities in question.

It is not clear why he did not receive our response, but I am sure it will be worked out somehow. It is all probably just a misunderstanding, and not malice on his part or ours.

But the important thing to know is that it wasn't being ignored.

Advertisements

4 thoughts on “Opera did not respond to security vulnerability?

  1. Actually, even Mozilla keeps security issues hidden in their bug tracking system until they have been fixed and disclosed to the public.

  2. Another reason for opening up the bug tracker a bit. Atleast the person who took the time and pain to report the bug should be allowed to track the result of Opera Software's investigation.

  3. I am not really aware of Mozilla's practises.But, the person who submitted the report already knows about the bug. So allowing him to see Opera's response to his submission shouldnt be a risk.

Comments are closed.