Tracking security is an ongoing concern in the software industry. Oracle and Cisco use a system called Common Vulnerability Scoring System (CVSS), while Microsoft recently announced its the Exploitability Index project. Both projects rely on evaluating the risk potential from exploitation. Mozilla's security metrics will take a different route.
"We did look at exploitability at the very beginning and we decided that was a factor that is hard to capture and not all that useful," Window Snyder said. "We don't have a lot of evidence that Firefox users are being exploited."