After a series of disastrous headlines, Mozilla said this week that it will release some of its home grown security tools to the open-source community.

According to the Window Snyder, Mozilla’s security chief, the tool giveaway will start with a “fuzzer” it uses to pin down JavaScript bugs in Firefox.

Fuzzing, a technique used by both white- and black-hat researchers trolling for vulnerabilities, and by developers to finger flaws in their code before it goes public, drops data into applications or operating system components to see if - and where - breakdowns occur. Typically, the process is automated with a fuzzer, the term for software that hammers on application inputs. The JavaScript fuzzer, Snyder said, has identified “dozens” of vulnerabilities in Firefox code.

Snyder said the JavaScript fuzzer will be handed over following a presentation at the Black Hat security conference in Las Vegas.

“We’re announcing that we’ll be sharing our tools with the community, and releasing the JavaScript fuzzer then,” said Snyder. Other tools will follow, including fuzzers that stress-test the HTTP and FTP protocols. Those two tools, however, are not ready to offer to outsiders, largely because Mozilla wants to wrap up talks with other browser vendors before they are shared.

Snyder said Firefox developers have created many tools, and though a lot of them are small, special-purpose ones, all of them could be useful to others.

“We want to make the work we’re already doing available to other people and to other products” in the hope that the tools might help developers outside Mozilla spot problems in their code, she said. Snyder sees a direct benefit to Mozilla, too. The more people who bang on the tool, tweak it and modify it, the better the tools should become, she said.

She seemed unconcerned that any tool Mozilla released would prove a significant danger to users. Although hackers also use fuzzers in their vulnerability-sniffing tool kits, “the tool isn't bad or good on its own,” Snyder argued. “They use debuggers all the time. Debuggers aren’t bad” because of that.

Mozilla might have wished it had fuzzed Firefox a bit more over the past three weeks, when it was caught in a name-calling contest between it and Microsoft supporters. Early last month, Danish researcher Thor Larholm found what he said was a critical input-validation bug in Internet Explorer that let the browser pass potentially malicious URLs to other programs, including Firefox. He laid blame on IE, while other security experts said it was Firefox’s fault.

Shortly after that, Snyder hinted that she saw the whole mess as an IE problem, but within days acknowledged that Firefox was guilty of the same behaviour. “We thought this was just a problem with IE,” she said last month. “It turns out, it is a problem with Firefox as well.”

Earlier this week, Snyder said that the very public disagreements between security experts as to which browser was to blame had actually been a good thing. “Debate is healthy,” she said. “And if we’re wrong, we say we’re wrong and move on.”

Mozilla updated Firefox twice in July, first on 17 July with, and then earlier this week when it released Version Both updates included fixes for the URL protocol handling bug that started the brouhaha. “We weren’t twiddling our thumbs during all of this,” said Snyder. “We were also on the back-end moving forward with fixes.”