CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Internet

Danish bug buster defends himself

The programmer who found the Communicator bug--and allegedly tried to sell it back to Netscape--tells his side of the story.

In the past 24 hours, he's been accused of terrorism, extortion, and blackmail. He also lost out on at least a thousand bucks.

Now, Christian Orellana, the Danish programmer who found the most recent and most controversial Netscape Navigator security hole, is telling his side.

In an email to CNET's NEWS.COM, Orellana recounted his version of this week's events, which stemmed from his discovery of a serious bug in Netscape's browser and his demand for what he felt was a just reward.

"Monday, the ninth of June 1997, [my company] CaboComm discovered a major security hole in the Internet browser Netscape Navigator, and immediately contacted Netscape about the situation. After being unable to reach Netscape at the appropriate level, CaboComm also contacted CNN, in order to inform the public about the possible intrusion of their privacy."

"Netscape encouraged CaboComm to submit the bug via email under the terms of the Bugs Bounty program. CaboComm did not consider this an appropriate way to handle a major flaw in their product."

Netscape, predictably enough, begs to differ.

"Within the same day as the first email to the developer support center, the team of people who eventually solved the problem contacted him. I'm not sure what he's speaking of," said Netscape director of security Jeff Treuhaft.

As for his demands for more than the $1,000 that Netscape usually offers to bug finders, Orellana says he would have dropped the condition if Netscape had come to Denmark to collect his information.

"Since Netscape was unwilling to enter in a dialog about any other terms than those of the Bugs Bounty program, CaboComm instead offered Netscape to pick up all information about the recently discovered bug on Monday 12:00 CET at CaboComm's premises, without any conditions or compensation."

Netscape says Orellana will not get any reward at all now.

Lastly, Orellana says he in fact helped Netscape pinpoint the bug, although the company has said he refused to help.

"Given the pressure Netscape has been putting CaboComm under, as well as the increasing possibility that the technicalities of the bug get discovered, thereby exposing Navigator users, CaboComm has now informed Netscape about every detail of the bug, and Netscape is currently working on a fix."

Netscape announced earlier today that it would have a fix ready early next week for the Windows 95/NT version of Communicator. Fixes for Navigator 2.x and 3.x will follow. (See related story)