That Catch-22 will, said Bryan, be addressed during oral arguments by the government and Michaud's lawyer in a hearing slated for May 25.
For the moment, Mozilla has been stymied in its effort to see the exploit and determine whether it leveraged a Firefox vulnerability. But the open-source developer said it is not going to give up.
"We will continue pressing the point with the government that the safest thing to do for user security is to disclose whether or not there is a vulnerability in the Firefox code base and if so, allow it to be fixed," Denelle Dixon-Thayer, Mozilla's top lawyer, said in a statement. "We want people who identify security vulnerabilities in our products to disclose them to us, and we believe the default position for any government agency should be that vulnerabilities will be disclosed to the entity that can fix them."
Dixon-Thayer's call for "the default position of any government agency" has little chance of being answered.
Last month, in a much higher-profile case, the FBI said it would not reveal to Apple how a terrorist's iPhone password was cracked, saying it had only paid for the use of the exploit, not the exploit itself. For the same reason, the FBI said it was not going to bring the iOS bug before the Vulnerabilities Equities Process (VEP) panel, a group that decides whether a flaw used by a U.S. government agency should be passed along to the vendor for patching.
Sign up for CIO Asia eNewsletters.