The problem is that they had a known problem and somehow wanted to fit it into their "ordinary schedule". It's not "ordinary" and just because it's more convenient for them to do it in their "ordinary schedule" doesn't mean that's the right or the good thing to do. So it's their problem for not dealing with it properly and for having the issue to begin with.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Google Relaxes Project Zero Bug Disclosure Policy
- Thread starter MacRumors
- Start date
- Sort by reaction score
The problem is that they had a known problem and somehow wanted to fit it into their "ordinary schedule". It's not "ordinary" and just because it's more convenient for them to do it in their "ordinary schedule" doesn't mean that's the right or the good thing to do. So it's their problem for not dealing with it properly and for having the issue to begin with.
I couldn't give less than a rat's ass for whatever reasons Google digs out security issues with their competitor's products. Someone does it. Security issues get fixed (or not). That's all that counts.
If Google doesn't reveal those issues, chances are that they go unnoticed by the good guys - but the bad guys are already exploiting them, so making security issues public after a grace period makes the world a better place.
It's that simple.
I agree with that aspect, they do need to be the arbiters. To step out of that role, they should simply release the information publicly as soon as they validate their findings or turn it over to an independent body to decide how to release the information and to who. But take any act of arbitration away from the Party making the discovery.
They do.
Additionally Google also runs OS X. Massively. And other products.
What do you think they are looking into those kind of issues of other company's products? Because they benefit from having those issues fixed as well! Everyone profits.
Evil would be to not inform those other companies! The grace period of 90 (+14) days by the way is very generous: other organsiations like the CERT have half of that period (45 days, to be specific) unless information is made public. Go figure.
Google is not a charity!
I like that google is doing this.
I would like google to do this with my company but I would like it even more if they could give some hints of how to fix the bugs but totally yes I would love to have some help finding bugs in our site.
I don't see it as a threat I see it as an opportunity to find things that my team couldn't see. It's hard¿?¿? Yes, totally but I think out users deserve the effort.!!
I would like google to do this with my company but I would like it even more if they could give some hints of how to fix the bugs but totally yes I would love to have some help finding bugs in our site.
I don't see it as a threat I see it as an opportunity to find things that my team couldn't see. It's hard¿?¿? Yes, totally but I think out users deserve the effort.!!
Good for Google!
We'd all much rather have RUSHED fixes, even if they have complex side effects leading to other bugs, and even when the flaw is currently unknown to attackers.
And who knows better WHICH fixes in Microsoft and Apple code are quick and which are complex, than outsider Google?
Software development is cut-and-dried, full of easy decisions. Thank goodness Google is here to set deadlines for other people.
The choice of deadline--90 days, 104, 180, whatever--should always be in Google's hands. Nobody else should have a say in that number. And if their competition needs more time in a certain instance, too bad--Google is here to save the day and release the exploits to the wild, hurting users along the way.
Google COULD just track these issues, keep a public count without details, work WITH other companies to set deadlines.... The same problems would get fixed, and sometimes better. But what's the fun there?
We'd all much rather have RUSHED fixes, even if they have complex side effects leading to other bugs, and even when the flaw is currently unknown to attackers.
And who knows better WHICH fixes in Microsoft and Apple code are quick and which are complex, than outsider Google?
Software development is cut-and-dried, full of easy decisions. Thank goodness Google is here to set deadlines for other people.
The choice of deadline--90 days, 104, 180, whatever--should always be in Google's hands. Nobody else should have a say in that number. And if their competition needs more time in a certain instance, too bad--Google is here to save the day and release the exploits to the wild, hurting users along the way.
Google COULD just track these issues, keep a public count without details, work WITH other companies to set deadlines.... The same problems would get fixed, and sometimes better. But what's the fun there?
It would be different if their own software wasn't full of bugs that the fix by discontinuing support for that version of the OS
While I applaud Google or any company for finding bugs, I think exposing them while a fix in progress is a bad idea. The other issue is, if 10 companies start up and expose, do you expect Apple or anyone else to respond to all 10 companies exposing the same bug?
There needs to be 1 central authority and if someone else wants to display it on their web site, then fine, but their data must come from this central authority.
Google - the idea is good, the execution is poor.
There needs to be 1 central authority and if someone else wants to display it on their web site, then fine, but their data must come from this central authority.
Google - the idea is good, the execution is poor.
If you have your house burgled then it's totally different, you know it's being burgled when your present, and no window manufacturer has an obligation to come and fit bullet proof unbreakable windows if someone does smash them in with a rock. You chose a very poor analogy.
A software house is obliged to release software that the general public will believe to be secure to ensure it is secure at release.
We are not talking about some small 5 member team here, we are talking about Microsoft and Apple with billions in funds and massive employee resources and endless other resources. They have years and years and years of experience.
So if they lack the brains, or cannot afford, to find their security holes themselves then perhaps they should not be making software at all, because Google seems to have much better resources and even more money to do the work for them.
That is what you are implying, that Google has more 'brain power' and money than Apple or Microsoft combined, considering Google are finding the holes in both the other company's software.
Goolge are more capable at finding software security holes in Microsoft and Apple software products, then either Microsoft and Apple are.
No, Google are highlighting how the other two neglect to fix their holes most likely for profit increases. And I think Google has been much more then generous to allow so much time for the holes to be patched. And I would question that without Google performing this service just how quick these holes would be patched, if ever.
Perhaps Google should fix the holes themselves too? They will probably be better at that also.
Last edited:
It wouldn't be, or perhaps only in principle (but since we live in reality and not some principal universe it doesn't really matter). The bottom line is their finding issues that need to be fixed. If they have their own issues that need to be fixed, that's also something, but not related to this as far as the consumers of those other products are concerned.
If 90 days isn't enough to fix something right even in a complex system, then really the system wasn't designed properly and has bigger issues to begin with.
And if it's an issue of process or something like that, then the problem is there somewhere and should be addressed.
Using one problem of some sort to excuse another one isn't really something that works.
Last edited:
Or, you know, do both, given then there are plenty of people and teams in the company that can do many different things at the same time.
So let a Google competitor start a similar project and mirror Android vulnerabilities. I don't see how it's harmful for us users that Google is forcing companies to patch vulnerabilities or else they shame them! I love it.
This thread is hilarious. So many Apple apologists, crying about the fact that vulnerable code is getting called out.
Maybe instead of being upset with Google, they should be upset at Apple for both releasing and not fixing vulnerable code in a reasonable time frame.
If you're a big fan of Apple and own their products, wouldn't you WANT vulnerable code to be fixed? That makes their products better and more secure. Isn't that a good thing? Isn't that what we want?
Just saying, direct your anger and resentment where it should go. Don't shoot the messenger.
Maybe instead of being upset with Google, they should be upset at Apple for both releasing and not fixing vulnerable code in a reasonable time frame.
If you're a big fan of Apple and own their products, wouldn't you WANT vulnerable code to be fixed? That makes their products better and more secure. Isn't that a good thing? Isn't that what we want?
Just saying, direct your anger and resentment where it should go. Don't shoot the messenger.
Last edited:
A software house is NOT obliged to release software that will be secure. It says so right in the 10,000 word license you agree to when opening/using any software.
The technical know-how to figure out some of these security holes exists in about a dozen people in the world. Some of these bugs have been around since the 1970s (40 years)!
I'm glad Google is finding them, because they have not been found all this time. It takes hard work to find some of these bugs.
Oh, ok, so you're now implying that Microsoft and Apple are incapable of fixing 40 year old security holes until Google points them out to the public? And they are obliged to fix the holes.
And Google must be employing all 12 of those 'special people' then considering they find the holes.
Because its still 90 days. To get the extra days, Google has to be contacted and say they have a patch in the works that will be released within that extra 14 day window. If they don't Google will still tattle at the 90 day mark.
Who cares, that's good for us regardless. Our devices become more secure.
Last edited: