Yeah I do not understand why the author waited so long to disclose and also feels that Google deserves a "stellar job" here. Sure, Google patched the bug very quickly after disclosure. But given that Google waited so long, it sure looks like they only prioritized the fix once disclosure was a risk. If anything, I think that the author should have scheduled disclosure sooner.
> I do not understand why the author waited so long to disclose and also feels that Google deserves a "stellar job" here.
Because people are afraid of megacorps. They've found the courage to disclose the issue, but they've also felt that the blow needs to be softened by praising Google's security team, despite their negligence in handling this issue.
> I think that the author should have scheduled disclosure sooner.
Yup. Ninety days is fine. More people should choose ninety days up front and not allow themselves to be strung along indefinitely.
Project Zero actually has granted two exceptions to their policy (out of well over a thousand cases), both to rival companies (Apple and Microsoft). On the whole I would say you should resist doing this, just set the policy and reap the consequences whatever they might be. If somebody's $100Bn company burns to the ground because they couldn't get their shit together for three whole months too bad.
wearhere|5 years ago
dessant|5 years ago
Because people are afraid of megacorps. They've found the courage to disclose the issue, but they've also felt that the blow needs to be softened by praising Google's security team, despite their negligence in handling this issue.
tialaramex|5 years ago
Yup. Ninety days is fine. More people should choose ninety days up front and not allow themselves to be strung along indefinitely.
Project Zero actually has granted two exceptions to their policy (out of well over a thousand cases), both to rival companies (Apple and Microsoft). On the whole I would say you should resist doing this, just set the policy and reap the consequences whatever they might be. If somebody's $100Bn company burns to the ground because they couldn't get their shit together for three whole months too bad.
teddyh|5 years ago
The author might have a Google account which, if cancelled, would disrupt their life considerably.
unknown|5 years ago
[deleted]