• Did you order new AirTags? We've opened a dedicated AirTags forum.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,499
14,194



googlesearch.png
Google's security team Project Zero recently announced some changes to its bug disclosure policy after controversially exposing Apple and Microsoft security flaws when the companies failed to meet the 90-day deadline. The new disclosure deadline has a 14-day grace period and excludes weekends and public holidays, providing tech companies with more time to properly address security vulnerabilities in their software.
"We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch."
Project Zero is a security team consisting of experienced programmers that look through the code of Google and several of its competitors to discover security flaws, like those uncovered in OS X Yosemite back in January. The team immediately discloses any vulnerabilities found to vendors, providing them with a 90-day deadline to release a software patch before sharing the vulnerabilities with the public.

The role of Google playing security watchdog for other companies has been the subject of much debate, with some believing that the company has a disingenuous agenda and others claiming that it is taking appropriate action. Google claims that it holds itself to the same 90-day policy it enforces on other tech companies, with bugs in the pipeline for Chrome and Android that are subject to the same deadline policy.

Article Link: Google Relaxes Project Zero Bug Disclosure Policy
 

BittenApple

macrumors 65816
Nov 29, 2008
1,022
584
Don't be evil.

Google under Eric E. Schmidt is not good.
 
Last edited:
Comment

viorelgn

macrumors 6502
Sep 16, 2013
302
7
Romania
How many Android phones are out there with vulnerabilities unpatched? Google is doing this to sabotage their competitors. I don't believe their humanitarian story one bit.
 
Comment

sualpine

macrumors 6502
May 13, 2013
497
512
Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?
 
Comment

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,133
5,110
So why not just call it a 104 day deadline?

You have 90 days to say that it'll be patched within 14 days - if you don't say anything by day 90, they'll reveal it. So it's a 90 day deadline. If you say something, they'll give you an extra 14 days.

Sounds like a good policy to me. I'm surprised it wasn't their policy before.

----------

Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?

If you watch Google's presentations, you'll notice they tend to present on Macs and PCs, not Chromebooks. They've got more to lose from other companies vulnerabilities than their own.
 
Comment

Robert.Walter

macrumors 68000
Jul 10, 2012
1,706
1,891
What a bunch of boneheads running Google.

Can't decide if they want to be secret spies,
or public gossips.

----------

...snip...

If you watch Google's presentations, you'll notice they tend to present on Macs and PCs, not Chromebooks. They've got more to lose from other companies vulnerabilities than their own.

Wonder what that means for the rest of those using Google's products and devices when Google doesn't eat its own dog food.
 
Last edited:
Comment

JoeG4

macrumors 68030
Jan 11, 2002
2,732
328
https://m.youtube.com/watch?v=zkzWyOaS8kU

Kinda reminds me of this lol. I thunk they should have a wall of shame with how long it took to respond to these things.
 
Comment

marzer

macrumors 65816
Nov 14, 2009
1,366
64
Colorado
I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.
 
Comment

mbh

macrumors 6502
Jul 18, 2002
400
73
You have 90 days to say that it'll be patched within 14 days - if you don't say anything by day 90, they'll reveal it. So it's a 90 day deadline. If you say something, they'll give you an extra 14 days.

And if it isn't fixed within that extra 14 days, they'll release it anyway. So, it's a 104 day absolute deadline.
 
Comment

bhayes444

macrumors 6502a
Jul 13, 2013
772
291
At least there is some company out there that is searching into these vulnerabilities instead of just letting them go unchecked and hoping that they are never maliciously abused. Granted, if there isn't a fix for them then exposing them is much worse than if they had never found them. Google isn't blameless from a vulnerability fixing perspective. Take the recent WebView vulnerability that they won't patch on Android 4.3 and below; the only way is to upgrade to 4.4 and up. At least there is a division of a company (Google or not) pointing out these bugs.
 
Comment

Col4bin

macrumors 68000
Oct 2, 2011
1,734
1,291
El Segundo
So in other words, Google is defecting attention away from their own system woes. It's like my mother used to say, "people who live in glass houses shouldn't throw stones."

I think Google better take a good hard look in the mirror and fix there own security vulnerabilities—especially when it comes to Android!
 
Comment

kwizatz

macrumors newbie
May 17, 2013
9
0
I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.

I think it's a step in the right direction, but it suffers from the same sort of arbitrariness as their previous policy.

So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"

I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.
 
Comment

bandalay

macrumors regular
Apr 19, 2010
123
92
Canada
Google dedicates…

…a few dozen Googlers to look for bugs in competitors codebase.

Then dictates the terms of their humiliation.

The leash is now in place - will the dog jump through the hoops?
 
Comment

TimelessOne

macrumors regular
Oct 29, 2014
236
2
I think it's a step in the right direction, but it suffers from the same sort of arbitrariness as their previous policy.

So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"

I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.

Problem is at that point they are 3 months in from being notified.

It means you have 3 months to get a patch together and 2 weeks to release it. AKA you had 3 months to fix it. So really you have 104 days max from being notified to released a fix max. Your fix must be completed by day 90.
 
Comment

bbeagle

macrumors 68040
Oct 19, 2010
3,430
2,694
Buffalo, NY
So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"

I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.

Exactly.

Not every bug can be fixed in an arbitrary amount of time. 90 days is arbitrary and so is 14 days. We have had some bugs in our company's software that have gone unfixed for YEARS, despite dozens of people trying to fix them. Trying to find out 'why' or 'where' the bug occurs sometimes takes most of the time, fixing it sometimes just takes minutes after that.

However, on the flip side, if there are no 'deadlines' then there is no 'incentive' to get the bug fixed.
 
Comment

apolloa

Suspended
Oct 21, 2008
12,318
7,798
Time, because it rules EVERYTHING!
Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?

Except the blindingly obvious is, why the hell SHOULD Google be doing this? Why can't Apple and Microsoft fix their OWN flaws BEFORE releasing software..

Face it, if it wasn't for Apple and Microsofts obsession to hit deadlines and to add features and consciously ignoring security flaws in their software, then this special Google team wouldn't exist.

I say good on Google, they should reduce the time, not extend it. Google lets it's browser get hacked every year in that competition to find flaws in security.
 
Comment

Yuck9

macrumors member
Dec 9, 2014
46
15
California
Memory problems=Security ?

Memory leaks are not a security problem. If that were the case, OSX 10.10X would win.



Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?
 
Comment

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,388
19,440
The normal Google haters in here ignoring that them doing this is a good thing for everyone...
I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.

It's more important to blindly hate than to spend even just a split second on rational thought.
 
Comment

bbeagle

macrumors 68040
Oct 19, 2010
3,430
2,694
Buffalo, NY
Except the blindingly obvious is, why the hell SHOULD Google be doing this? Why can't Apple and Microsoft fix their OWN flaws BEFORE releasing software..

It sounds like you don't understand software. Fundamentally, software ALWAYS has bugs. Just like everything else in the world. It's high profit / low risk to find software bugs and exploit them.

I can enter your house just by using a rock I find in your garden right outside your door. But using the rock to smash your window, enter, and rob your stuff is low profit / high risk. It happens, but not as often as it could.

But it's VERY costly to find ALL bugs and fix them. It's not like I can look through software code and go 'Gee - there's a bug - I'll fix it'. It's highly complicated and takes a lot of brain power to figure out.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.