undefined | Better HN

0 pointsmwfunk8y ago0 comments

Google Project Zero does not support full public disclosure immediately- quite the opposite. They support full public disclosure after giving the vendor an opportunity to ship a fix to their customers in a reasonable period of time. Nobody's debating whether or not security flaws should be publicly disclosed- of course they should. The only debate is, what is the most responsible way to handle such a security issue such that it harms the fewest users.

Project Zero (and infosec professionals, at least all of the ones I've ever worked with) would tell you that this was the most irresponsible way to handle the issue, short of not saying anything and selling knowledge of the exploit to someone other than the vendor who could fix it. Publicizing something like this in this way is something people do because they want publicity for themselves. It is not something someone does if their biggest concern is for the users who might be affected by it. It is something someone would do if they didn't care about the users, and just wanted public credit for pointing it out.

0 comments

lawnchair_larry8y ago

You added the word "immediately", making that a straw man. I did not say they disclose immediately. Their policy is still full disclosure, including working proof-of-concept exploit code, even when the vulnerability is unpatchable and millions are affected. Ask Microsoft and Apple about the times they went beyond 90 days.

Furthermore, that deadline is 7 days if they are aware of active exploitation.

DJB is famous for his full disclosure with no advanced warning stance.

The rest of your post is false. That is your opinion, and people disagree. I'm going to guess you have not personally spoken with folks from project zero. I have spoken with some of them. And trust me, they would not agree with your statement. A few of them even feel strongly that their timelines are far too generous. I also understand their reasoning, and it has nothing to do with ego or publicity, and everything to do with concern for users.

They do not give a shit about credit beyond believing that it is proper to cite the authors of any work. That isn't the case for everyone finding bugs, but people on that team lost the novelty of having their name on bug reports long ago.

j / k navigate · click thread line to collapse

0 pointsmwfunk8y ago0 comments

0 comments

lawnchair_larry8y ago

Furthermore, that deadline is 7 days if they are aware of active exploitation.

DJB is famous for his full disclosure with no advanced warning stance.

j / k navigate · click thread line to collapse