Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Google Relaxes Project Zero Bug Disclosure Policy
- Thread starter MacRumors
- Start date
- Sort by reaction score
They get addressed in a prioritized manner. If there are somany security issues that they can't be addressed in 90 days, seems like there are bigger more fundamental system design and/or process or organizational issues with the company which should really be dealt with instead of being excused by finger pointing or something equally pointless and disruptive to the end consumer.
Apple and Microsoft should both start doing this too with Google software. Like I said, this is a win for consumers as long as egos are placed aside.
I completely agree that they should include their own software in that testing. Maybe they do it's hard to say since there's honestly probably more to it than us outsiders can see.
I know some here see that as Google attacking its competitors and maybe it is that but at the end of the day we get to benefit with the improved software. If they find problems first then companies like Apple can skip that step and go straight to fixing it. Saves time and $$$.
Maybe Google has this already, but I think they should also have a clause like IETF:
"Exceptions to this policy do exist for critical issues in core components of technology that require a large effort to fix, such as vulnerabilities in standards or core components of an operating system."
So at least there's some consideration on how big the problem is and how long it would take to come out with a solution.
Imagine this.
You're a swing seller.
Then someone comes - your competitor that is - saying "your swing twists if you lean to the right, fix it by tommorow or I'll tell everyone about your flaw" all the while his swing also do the same or even worse.
You try to find the problem and found it, you fixed it but you haven't tested it yet. You're forced to release the fix and then the next day people complain the swing doesn't run smooth. Solving one problem leads to another.
Or if you couldn't found it, bad people comes and for whatever reason apply the flaw and broke the customer swings. While by normal use, there would be no problem and no bad people would break the swings.
----------------------
Point is, yes it's good to be found, but to release it publicly is another matter.
With limited time, there might be no time of them to test the fix and if other bugs occur.
And if they couldn't complete in time, they just invite hackers to attack the security breach
Again if 3 months isn't enough time to fix it and test it then there are bigger issues they should resolving with their product and/or process or organization so that 3 months would be more than enough. From a consumer point of view even a month is too long.
While a flaw might not be publicly disclosed at first it could very we'll be exploited by various people in the meantime and perhaps for a long time prior to that. So in some senses it can be seen that by not releasing information about it whether or not a fix is ready in 3 months can be detrimental by not making consumers aware of an issue that might already be misused against them, as has happened more than enough times with things of this nature.
You said:
Thus implying that only 12 people in the world can fix security holes in software that has existed to 40 years, (which in itself is an odd thing to say as you're implying these 12 people have essentially not fixed these security holes that have existed for 40 years). So no I do not work for Fox news or put words into your mouth.
Your making excuses, we are again talking about Apple and Microsoft here, not a tiny development studio. They have endless resources, they don't need to train anyone because they already have the staff and the expertise.
The only part that is true is that they do not fix security holes because I suspect they don't want to spend the money.
At the end of the day Google are doing their job.
Thus implying that only 12 people in the world can fix security holes in software that has existed to 40 years, (which in itself is an odd thing to say as you're implying these 12 people have essentially not fixed these security holes that have existed for 40 years). So no I do not work for Fox news or put words into your mouth.
Your making excuses, we are again talking about Apple and Microsoft here, not a tiny development studio. They have endless resources, they don't need to train anyone because they already have the staff and the expertise.
The only part that is true is that they do not fix security holes because I suspect they don't want to spend the money.
At the end of the day Google are doing their job.
The problem I see that is that Google is highly immature when it comes to long-term support for products.
Microsoft and (to a lesser extent) Apple support products and operating systems for long periods of time. This is especially important in enterprise. For all the grief that people give Microsoft and Apple for breaking support between releases, they overall do an acceptable job. There are programs written in 1995 that can still be run without issue on a 2014 Microsoft operating system. And I really think Apple is going in this direction, as well, because they want a piece of the enterprise pie.
This has not been the case for Google. I work in enterprise IT, and we have tried to rely on Google products. So many times, they have pulled the rug out from under us with little warning like it was not a big deal. Google products come and go. And features come and go. And it happens way too quickly. By the time we train users on a Google feature and the users feel comfortable using it, it's gone. Google has screwed us so many times.
Even their e-mail platform constantly changes, and again, no warnings are given. We are looking, as we speak, of moving to a more stable platform. Google is not good for enterprise.
Even Chrome is unstable for enterprise. Deployment is completely different from Internet Explorer and Firefox. For IE and Firefox, you can just configure them how you want and then deploy the image to users. In Chrome, you can only use Group Policy to set Chrome settings. This is a recent change that they just sprung on enterprise with no real warning. So, enterprise deployed broken Chrome settings for a while before realizing Google made the change.
My point is that Google doesn't realize that many security bugs cannot be fixed on the fly. Fixing that bug might break all sorts of other things. That doesn't matter to Google because Google doesn't care. Many enterprises would rather live with a security bug for a while and have a proper fix that doesn't break other things than get an immediate fix. Google hasn't figured this out. It's why many enterprises that were previously putting many services on Google's platform are now looking for a way out.
Microsoft and (to a lesser extent) Apple support products and operating systems for long periods of time. This is especially important in enterprise. For all the grief that people give Microsoft and Apple for breaking support between releases, they overall do an acceptable job. There are programs written in 1995 that can still be run without issue on a 2014 Microsoft operating system. And I really think Apple is going in this direction, as well, because they want a piece of the enterprise pie.
This has not been the case for Google. I work in enterprise IT, and we have tried to rely on Google products. So many times, they have pulled the rug out from under us with little warning like it was not a big deal. Google products come and go. And features come and go. And it happens way too quickly. By the time we train users on a Google feature and the users feel comfortable using it, it's gone. Google has screwed us so many times.
Even their e-mail platform constantly changes, and again, no warnings are given. We are looking, as we speak, of moving to a more stable platform. Google is not good for enterprise.
Even Chrome is unstable for enterprise. Deployment is completely different from Internet Explorer and Firefox. For IE and Firefox, you can just configure them how you want and then deploy the image to users. In Chrome, you can only use Group Policy to set Chrome settings. This is a recent change that they just sprung on enterprise with no real warning. So, enterprise deployed broken Chrome settings for a while before realizing Google made the change.
My point is that Google doesn't realize that many security bugs cannot be fixed on the fly. Fixing that bug might break all sorts of other things. That doesn't matter to Google because Google doesn't care. Many enterprises would rather live with a security bug for a while and have a proper fix that doesn't break other things than get an immediate fix. Google hasn't figured this out. It's why many enterprises that were previously putting many services on Google's platform are now looking for a way out.
Putting all that other unrelated Google stuff aside, 90 days isn't even close to being "on the fly".
First of all, nothing I said is "unrelated." I typed it to contribute to my point. Sorry if the point went over your head.
Second, ninety days is extremely fast. Is it unreasonably short? That's debatable. But don't think for a second that it's a generous amount of time.
I am guessing that you have never worked on a large development project. Providing a fix will almost inevitably break something, and figuring out how those dominoes fall is difficult and takes time. In fact, they very well could give it lots of time and still not figure out all the effects that it will cause. What if the bug had existed for many years and there were third-party products that depend on the bug to work correctly? Those products will be broken as soon as the bug is fixed.
In addition, even if all the situations are figured out, customers (especially enterprise) has to be alerted. This means creating documentation to let customers know what the implications are and what their options are, if any, for work-arounds.
These are generally not considerations for Google because Google gives not the first damn about enterprise.
So no, ninety days is pretty quick.
Lot's of assumptions across the board and not much more.
How Google deals with other products or something else isn't really necessatily related or relevant to finding security issues. There's simply an assumption there.
As far as addressing security issues, if 90 days isn't enough then the underlying system should be changed or there are issues with it to begin with. Or there's something with the process or the organization that needs to be changed. These days those types of excuses only show that there are other bigger problems that the company should be addressing instead of not doing anything about them and punting fingers and coming up with excuses why something is hard or complicated. As consumers it's detrimental to us. Why would anyone as a consumer support that which is against their interests?
Last edited:
Wait, so you think that I'm making "lots of assumptions" and yet you're the one that is assuming that "something must be wrong" because ninety days may not be sufficient enough time to fix a complicated issue?
Yeah, I'm not taking you seriously and won't be replying to you, anymore.
If you think that needing more than 90 days to fix an important security issue is just fine and isn't an indicator that the underlying system could and should be designed better to allow for that these days (or that there aren't processes or organizational improvements that need to be made if those are getting in the way), then it would seem that reality is being conveniently overlooked.
Just because that's the sad reality these days for many (especially larger) companies, doesn't mean that it's right or good or should continue getting ignored and used as some sort of excuse for different shortcomings.
Its so predictable that we have so many on this board attacking Google because Google went after Apple. Boohoo. Its Apple's fault that the bug was there in the first place. Its Apple's fault that they can't patch it in 90 days. Without a patch, guess who gets hurt? You, the consumers, not Apple. So stop coming to their defense on everything.