Don’t let anyone tell you that nothing ever happens at Black Hat anymore.

Researcher Robert Hansen has a recap on his blog of a conversation he had at the Las Vegas conference with a number of Mozilla officials. What began as a debate ended with Mike Shaver, Mozilla director of ecosystem development, using some colorful language to describe how quickly Mozilla can push out patches for Firefox.

“We showed up and nearly immediately I was surrounded by the bulk of the Mozilla QA and security team that was attending Black Hat. They asked me lots of questions and gave me lots of info. It was a pretty equitable trade of information. Clearly, they acknowledge that they need help from the community, but they also feel confident that once things come to their attention it’s simply a matter of days to close their holes. They said the recent rollouts were actually slower than they would have liked them to be, even though they were only a week and a half apart. Further, they said that they could roll out any critical patches within 10 days. Not one to let challenges go untested I called BS.

I told him I would post his card — and he didn’t flinch. No, he wasn’t drunk. He’s serious. I’ve always been a fan of Mozilla and Firefox. However, this is a pretty bold claim for a company of any shape or size. I shopped the business card around to various people while I was at the Microsoft party the next day to get people’s reaction. The consensus was that it was funny, very difficult to achieve and in one case, one of the head guys of security at Amazon simply doubted that the patches would be of sufficient quality. I’m not going to comment on my personal feelings on this matter except to say that I’d love to see Mozilla back up their promise.”

So was this a guarantee that Mozilla can patch anything and everything within 10 days? Mozilla clarified any statements, official or otherwise, on Monday with a few blog posts of its own.

From the blog of Window Snyder, chief security something-or-other:

“When I asked [Shaver] about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only 10 days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we’re among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly.

This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the internet secure.”

And an apology from Shaver himself:

“I was intending to express my confidence in our ability to turn around a fix quickly if we needed to by giving him a sort of ‘admit one’ ticket for a disclosure that he thought needed an especially fast response due to extreme risk or some such. That was a bit overzealous in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a 10-day turnaround on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression.

I apologize, and hope that nobody will think less of Mozilla because of my error. We don’t issue challenges, and nobody here thinks that security response is a game. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own, and I hope the fracas about my overzealous comments to Robert don’t overshadow the great work that people on the Mozilla project do to keep our users secure.”