Yeah I do not understand why the author waited so long to disclose and also feels that Google deserves a "stellar job" here. Sure, Google patched the bug very quickly after disclosure. But given that Google waited so long, it sure looks like they only prioritized the fix once disclosure was a risk. If anything, I think that the author should have scheduled disclosure sooner.
dessant|5 years ago
Because people are afraid of megacorps. They've found the courage to disclose the issue, but they've also felt that the blow needs to be softened by praising Google's security team, despite their negligence in handling this issue.
tialaramex|5 years ago
Yup. Ninety days is fine. More people should choose ninety days up front and not allow themselves to be strung along indefinitely.
Project Zero actually has granted two exceptions to their policy (out of well over a thousand cases), both to rival companies (Apple and Microsoft). On the whole I would say you should resist doing this, just set the policy and reap the consequences whatever they might be. If somebody's $100Bn company burns to the ground because they couldn't get their shit together for three whole months too bad.
staticassertion|5 years ago
dependenttypes|5 years ago
AdamJacobMuller|5 years ago
1) 90-day disclosure initially 2) assuming communication, I would agree to extend for another 30 days 3) 15 days more 4) 7 days more 5) 3 days more 6) 1 day more 7) 12 hours 8) 6 hours 9) 3 hours 10) 1 hour 11) publish
More work for me, sure, but it doesn't drag out things indefinitely and i think it would have (at the later stages) created a sense of immediacy to get this fixed.
teddyh|5 years ago
The author might have a Google account which, if cancelled, would disrupt their life considerably.
unknown|5 years ago
[deleted]