Bugzilla Breached, Private Vulnerability Data Stolen
darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There
are some indications that the attacker may have had access since September 2013."
"We have performed a full security review of our entire infrastructure and all of our products, and we recommend moving to a flat design on a rolling release schedule with a cadence of one release per week. In order to reduce the number of code paths and further simplify the process of regression testing, all variables in about:config will be disabled, and the entire UX will consist only of one hamburger menu. Users who don't believe this represents significant progress are welcome to submit their own bugs to our all-new FlatZilla bug tracking interface, which automatically marks every user-submitted bug as WONTFIX, thereby improving our metric of closing time on bugs and demonstrating Agility as we continue to bring the Web forward."