Hacker News .hnnew | past | comments | ask | show | jobs | submitlogin

Especially since Google gives a fairly strict 90 day disclosure deadline themselves.

https://www.google.com/about/appsecurity/



Yeah I do not understand why the author waited so long to disclose and also feels that Google deserves a "stellar job" here. Sure, Google patched the bug very quickly after disclosure. But given that Google waited so long, it sure looks like they only prioritized the fix once disclosure was a risk. If anything, I think that the author should have scheduled disclosure sooner.


> I do not understand why the author waited so long to disclose and also feels that Google deserves a "stellar job" here.

Because people are afraid of megacorps. They've found the courage to disclose the issue, but they've also felt that the blow needs to be softened by praising Google's security team, despite their negligence in handling this issue.


> I think that the author should have scheduled disclosure sooner.

Yup. Ninety days is fine. More people should choose ninety days up front and not allow themselves to be strung along indefinitely.

Project Zero actually has granted two exceptions to their policy (out of well over a thousand cases), both to rival companies (Apple and Microsoft). On the whole I would say you should resist doing this, just set the policy and reap the consequences whatever they might be. If somebody's $100Bn company burns to the ground because they couldn't get their shit together for three whole months too bad.


The problem is that you hurt a lot of users a long the way in extreme cases.


It's not you that hurt the users, it's the company for not being able to competently route, schedule, and fix their issue.

The reporter is only to blame if they actively exploit the vulnerability in order to harm users, not if they publish it publicly, with or without advanced notice to the company.


Or the bug fix can be hard to implement, test, and release in 3 months. I’m not saying it’s the majority of bugs but these could qualify


I would argue that 90 days is 90 days too long. It should be 7 days at most.


Should Google Project Zero also switch to 7 days?


No, it should switch to 0 days, that will fit with their name too.


I was thinking about how I would handle it, were I in the same situation and I think I came upon a decent idea.

1) 90-day disclosure initially 2) assuming communication, I would agree to extend for another 30 days 3) 15 days more 4) 7 days more 5) 3 days more 6) 1 day more 7) 12 hours 8) 6 hours 9) 3 hours 10) 1 hour 11) publish

More work for me, sure, but it doesn't drag out things indefinitely and i think it would have (at the later stages) created a sense of immediacy to get this fixed.


> Yeah I do not understand why the author waited so long to disclose

The author might have a Google account which, if cancelled, would disrupt their life considerably.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: