This really isn’t very accurate. I don’t know the details of the vulnerability or even if there actually is one, but I question the marketing around the Zero Day Initiatives vulnerability report. The big news seems to be “only 5 hours” after the release.
This isn’t really accurate if you think about it. It would be if Firefox 3 were a tightly controlled product that nobody could see a final version of. Reality is that the entire source code lives in cvs, there are nightly builds, and formal release candidates posted. Could someone have downloaded it after release and found a security issue? Absolutely. Is the timing a little suspicious considering everything was done out in the open? Yes.
It wouldn’t have made any waves if a vulnerability was found in a release candidate. It would have just been patched and a new candidate posted.
The advantage to the open source development process is the transparency through the entire process. The code in the release build isn’t remotely new or surprising. Many people had been running it for days prior to the actual release.
Again, it’s possible it all happened in 5 hours. But I doubt someone discovered a security hole, documented it, then it was verified and confirmed in just 5 hours. Especially considering the open nature of the development process and how easy it is to check things out in advance.