| >...does that satisfy you, or are you still dissatisfied? Like I said, I'm satisfied that it followed the policy. I don't fully understand why, though, and want clarification. I assume that if he'd found a usable exploit then he wouldn't have published it: note that until he posted, I was assuming he did find a usable exploit, and was arguing that that shouldn't have been disclosed, a position people disagreed with me on. >So, should Google have a possibly indefinite disclosure embargo period? Or maybe just have a policy of never putting any details at all into security bug reports? Their 90-day policy seems reasonable. >You see that that removal from the store (or -assuming that they have the power to do so- remote removal from Chrome) is entirely and dramatically different from modifying uploaded code on behalf of the dev, right? I only mentioned that as a way to remove the extension. I had assumed they can update an extension, and therefore thought they can replace an extension by one that does nothing. I'm no longer sure. They could do with better documentation. |