[lfam]

If the vendor is incompetent and the bug is being actively exploited, then it's reasonable to violate the 90-day policy, which is designed in the spirit of cooperation with competent vendors.

6 months ago they decided to limit inline installations [1] and they probably started reviewing poorly-rated add-ons like this one at that time.

http://blog.chromium.org/2015/08/protecting-users-from-decep...

[ikeboy]

There's no indication that the bug was being actively exploited.

Anyway, it's not clear what benefit was had over releasing the report but without the XSS link. Maybe even say "there's XSS on your site" but don't mention the exact link.

Again, they should ban the extension completely if they think it's insecure, and if they haven't done that, they shouldn't be publicizing exploits.

[lfam]

Tavis Ormandy started tweeting at AVG about this subject several months ago.

And it's been pointed out that they aren't able to remove the extension from users' machines due to how it bypasses the Chrome security system. So their best bet was to ask AVG to do the right thing. AVG won't or can't.

So, what can Google do? Just silently accept it? The 90-day policy is worthless in this case.

[ikeboy]

I went back through his tweets to 2014, searched AVG, and found nothing before Oct, and that wasn't a request for contact, which came in December.

The report is dated from this month.

Re removing it: they can remove it from the webstore. As long as it's in the webstore, they shouldn't be releasing 0-days that haven't been patched yet.

[taviso]

You expended a lot of effort on what could have been easily resolved by asking me. The XSS that you're concerned about was for illustrative purposes only, and could not be used in an attack due to mixed-content errors.

I don't really want to discuss disclosure ethics with you, but will say that our documented policy was followed to the letter.