Google Relaxes Project Zero Bug Disclosure Policy

[Alenore]

Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?

Has Safari tab reloading been fixed yet?
Plus, how relevant is that to a security audit ?

If you actually read the article or knew what Project Zero was about, you'd knew they also audit Google code, and have the same policy for their own code or the others.

But hey, spitting on Google is fun and easy.

 

[ThisIsNotMe]

Google pokes holes in software that ships on physical hardware and it is considered 'security testing' to shame their competitors.

Googles competitors poke holes in Googles software (cloud) and they get the FBI knocking at their door for hacking.

Complete double standard.

 

[oliversl]

If Google says you have 90 days to fix your software, you better do it in 90 days. 1984 == Google

 

[C DM]

If Google says you have 90 days to fix your software, you better do it in 90 days. 1984 == Google

You decide what you want to do about it. But the issue is there and it's certainly in your interest (as it is in the interest of your consumers basically) to address the issue.

 

[spectrumfox]

If Google says you have 90 days to fix your software, you better do it in 90 days. 1984 == Google

I bet you have never even read 1984. Not a single word.

 

[rlhamil]

Sauce for the goose?

Fair play if Apple and others were to do the same thing - audit both their own and competitor's code. Esp. when one company has apps that run on other's platforms, or clients that interact with other's servers (or vice versa). A vulnerability in one might cause problems with the other as well.

For example: is it just me, or does Google Earth on a Mac crash way too often for quite some time now?

 

[bbeagle]

You must work for Fox News. You love to put words into people's mouths.

Oh, ok, so you're now implying that Microsoft and Apple are incapable of fixing 40 year old security holes until Google points them out to the public? And they are obliged to fix the holes.

They're not incapable - maybe it's just not as important to them financially.

Training, hiring the most expert people in the field of cybersecurity, giving them the time and resources to fix the bugs....

Maybe Google is doing more here, but we don't know...

maybe Apple has fixed 1,000 internal bugs while Google points out 10. But we only hear about the 'Google 10' because Google makes it public for P/R.

And Google must be employing all 12 of those 'special people' then considering they find the holes.

I said SOME security holes require expertise to find, so they ALL can't be found just by hunting-and-pecking. Maybe that's all Google has managed to do - find the low-lying bugs, while Apple and Microsoft found hundreds and thousands more, but they don't want to trumpet like a peacock and tell everyone.

 

[Poisonivy326]

Someone who is posting negatively about this needs to explain to me why it's a bad thing for the consumer to have this "policy" in place.

Annnnnnd go.

Shhhhh ... don't you know that everyone in here is an Apple shareholder and they stand to make millions from Apple's profit margins?

 

[djgamble]

Right and what about Google's bugs? Are they going to expose their own bugs 14 days after discovered so that people can hack their systems more easily?

 

[C DM]

Right and what about Google's bugs? Are they going to expose their own bugs 14 days after discovered so that people can hack their systems more easily?

14 days? And did they not do that at some point that shows this?

 

[subsonix]

It's more important to blindly hate than to spend even just a split second on rational thought.

Google has now changed their policy to be more in line with what many argued it should be last time this was discussed. At the time, you saw all those issues as non-issues, so given what you just said, does that mean you now think your thought back then wasn't rational?

 

[Keirasplace]

Has Safari tab reloading been fixed yet?
Plus, how relevant is that to a security audit ?

If you actually read the article or knew what Project Zero was about, you'd knew they also audit Google code, and have the same policy for their own code or the others.

But hey, spitting on Google is fun and easy.

That's a damn laugh, they don't even fix code 18 month old that affect 60% of their users. Google is big joke. They hide behind OEM's supposedly being responsible when its their broken down implementation that's to blame. They are a joke.

 

[stars_fan]

Right and what about Google's bugs? Are they going to expose their own bugs 14 days after discovered so that people can hack their systems more easily?

They claim they will but so far the evidence points to no.

 

[bilboa]

Exactly.

Not every bug can be fixed in an arbitrary amount of time. 90 days is arbitrary and so is 14 days. We have had some bugs in our company's software that have gone unfixed for YEARS, despite dozens of people trying to fix them. Trying to find out 'why' or 'where' the bug occurs sometimes takes most of the time, fixing it sometimes just takes minutes after that.

However, on the flip side, if there are no 'deadlines' then there is no 'incentive' to get the bug fixed.

Some people in this thread seem to be assuming that publicly disclosing the vulnerabilities is just a punitive measure, and therefore if there is a good reason for why the bug hasn't been fixed, then the vulnerability shouldn't be revealed. However I would say the most important reason for revealing security bugs is so that others can take measures to protect themselves. In your example, even if there is a very good reason a security vulnerability hasn't been fixed in years, users of the software have a right to be aware of the vulnerability.

Regarding the point others have made that 90 days or 104 days are arbitrary, of course that's true, but if there were no deadline then companies could just stall indefinitely by saying they have a fix in the pipeline. I think it's legitimate to argue about exactly what the deadline should be, but even if they extended it to say 160 days, it would still be an arbitrary period of time.

----------

Right and what about Google's bugs? Are they going to expose their own bugs 14 days after discovered so that people can hack their systems more easily?

To be clear, Project Zero is about security bugs, not just any bugs. Unless a memory leak bug can somehow be exploited to get elevated security privileges, it's outside the scope of this project.

 

[69Mustang]

Good for Google!

We'd all much rather have RUSHED fixes, even if they have complex side effects leading to other bugs, and even when the flaw is currently unknown to attackers.

And who knows better WHICH fixes in Microsoft and Apple code are quick and which are complex, than outsider Google?

Software development is cut-and-dried, full of easy decisions. Thank goodness Google is here to set deadlines for other people.

The choice of deadline--90 days, 104, 180, whatever--should always be in Google's hands. Nobody else should have a say in that number. And if their competition needs more time in a certain instance, too bad--Google is here to save the day and release the exploits to the wild, hurting users along the way.

Google COULD just track these issues, keep a public count without details, work WITH other companies to set deadlines.... The same problems would get fixed, and sometimes better. But what's the fun there?

I disagree with Google releasing code. That's the only problem I have with Project Zero. Other than that, I appreciate what they do.

Do you think it would have been better for Google to report the vulnerabilities to CERT or IETF? I ask because Google gives companies 2X the window of CERT (45 days) and 3X the window of IETF (30 days). Honest question: Would you be as upset if CERT or IETF exposed the vulnerabilities? With them it would have been exposed up to 2 months before Project Zero did.

You know Google could save itself a lot of forum grief by reporting to CERT and IETF and letting them work within their respective 45 & 30 day windows. Since it seems no one has issues with the vuln's being reported, that should solve everyone's issue. 'Cept that pesky shortened timeframe.

FWIW, Google does try to communicate with companies during the 90 day period, so it's not like they sit around waiting for the 90th day to say gotcha. Also Project Zero has notified Apple, MS, and other vendors of multiple vuln's outside of the ones in question without any disclosure since they got fixed. The companies actually have a dialogue. Imagine that.

https://code.google.com/p/google-se...+Priority+Milestone+Owner+Summary&cells=tiles

You can see everything they've done.

Selfishly, Google could want these vulnerabilities fixed since they use a crap ton of MS/OSX themselves. Ya know self preservation and all.

 

[C DM]

Google has now changed their policy to be more in line with what many argued it should be last time this was discussed. At the time, you saw all those issues as non-issues, so given what you just said, does that mean you now think your thought back then wasn't rational?

The train of thought there seems to be rather lost. Google adjusted something in relation to their policies, they didn't get rid of them or drastically alter them or what they are doing. So certainly no rationality was lost anywhere (aside from perhaps trying to come up with some sort of unrelated narrative that somehow attempts to makes it seem like it, although not succeeding).

 

[subsonix]

The train of thought there seems to be lost. Google adjusted something in relation to their policies, they didn't get rid of them or drastically alter them or what they are doing.

The issues that was discussed then was, a) the fact that Google did this at all, b) a discussion about responsible disclosure, why Google released the bug before it's fixed and c) the bug itself.

At the time you only concerned yourself with the bug, which wasn't particular noteworthy among other bugs. The fact that they now are adding a window of 14 days, means that they now are doing what many argued they should do back then.

 

[Michael Goff]

The problem is that they had a known problem and somehow wanted to fit it into their "ordinary schedule". It's not "ordinary" and just because it's more convenient for them to do it in their "ordinary schedule" doesn't mean that's the right or the good thing to do. So it's their problem for not dealing with it properly and for having the issue to begin with.

It's also convenient for users.

 

[bobenhaus]

I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.

I agree with you. There is a bunch of double-standards here when Apple is not involved. Just like Apple is possibly making car and it will be the best thing since bread. Shame shame.

 

[some1uDNTknow]

I think it's important for Google to continue Project Zero, I assume these vulnerabilities would not be patched as quickly otherwise.

 

[oliversl]

Just obey Google

I bet you have never even read 1984. Not a single word.

 

[AllieNeko]

What a bunch of assbags.

This is standard and accepted practice in computer security, public disclosure is a necessary practice to promote security by keeping public pressure on companies to patch quickly. 90 days is a very reasonable disclosure timeline.

It's those who disclose on day 0 that are are working against your best interests.

 

[C DM]

The issues that was discussed then was, a) the fact that Google did this at all, b) a discussion about responsible disclosure, why Google released the bug before it's fixed and c) the bug itself.

At the time you only concerned yourself with the bug, which wasn't particular noteworthy among other bugs. The fact that they now are adding a window of 14 days, means that they now are doing what many argued they should do back then.

And when companies wouldn't make that additional 14 day window, which isn't an automatic window but one that would require companies actually have some fairly good reasoning behind it, people would have still had the same comments about having more time and making more exceptions, etc., etc., etc. Pretty much the same comments would have been there from most of the same people. This is just a small adjustment that doesn't change the vast majority of what's behind it all and what was already part of the project and what Google has already been doing.

The issues they find are still the important things and at the center of it all (whether they are small or not or if people care about them or not). That still hasn't changed either.

----------

Just obey Google

Yeah...again, none of that is there either (nor is it what 1984 is really about anyway).

 

[JGRE]

thank you Google, you are soo good for us..................

 

[C DM]

It's also convenient for users.

The schedule? Sure, but there are many convenient things everywhere, but that doesn't mean things continue as normal because of convenience when something arises.

It's convenient to change car's oil at specific intervals and often get various other things checked out and maintained at the same time, but if you just got that done a week ago and now an issue with breaks comes up out of nowhere, while it would be convenient to wait until the next oil change to get it taken care of, does that really make sense though just because of convenience?

There's certainly the convenience factor, but there are many other more important factors that can come into play in various scenarios.