[d2mw]

Project Zero has always been disguised marketing, and IMHO an extremely nasty form of it. I have no doubt they plan coordinated releases like this on a regular basis

(these downvotes are confusing. Do you disagree that it is marketing? That their approach is brutal? That they plan this regularly?)

[VikingCoder]

Giving a company 90 days to fix a problem that may be currently exploited, harming end users, seems nasty to you?

We should all be so lucky as to have Project Zero handing us free bug reports like that. Responsible companies PAY for bug reports on their products. Google is handing them over for free.

[Jasper_]

Sure, but at the same time, when Google announced that Google+ had a huge security breach of 52M accounts, they didn't publicly disclose it until well after the fact because they didn't think it was serious enough. I wish Google would follow their own principles.

[kllrnohj]

The most recent post on Project Zero's blog is about a Chrome vulnerability: https://googleprojectzero.blogspot.com/2019/05/trashing-flow...

And it had the exact same automatic 90 day disclosure applied: https://bugs.chromium.org/p/chromium/issues/detail?id=944062

"Please note: this bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public."

In fact they've reported a lot of Chrome vulnerabilities: https://bugs.chromium.org/p/project-zero/issues/list?colspec...

And Android ones: https://bugs.chromium.org/p/project-zero/issues/list?colspec...

Hey, look at that! Equal treatment for all.

[S33V]

Do you mind rephrasing that to make Google seem eviler? I have s confirmation bias to fulfill

[tptacek]

By that standard, literally no company in the industry is following these principles, because internal findings are not routinely disclosed. Internal vulnerability researchers have access to information outsiders don't, so you can imagine, the bugs you're not hearing about are pretty lurid. Every major tech company in North America spends millions annually on third-party software security tests; did you think these just weren't turning things up? What did you think was happening to the reports?

[bzbarsky]

For what it's worth, Mozilla routinely discloses internal findings, subject to the same policy as external findings: the bug report is opened up once the fix has shipped to a sufficient fraction of users.

So it's not "literally no company". ;)

Disclosure: I work for Mozilla and I have reported a number of security bugs on our code, the vast majority of which are now public.

[tptacek]

Mozilla certainly discloses more than other vendors do, but I'm talking to Mozilla security team members about this now, and maybe one of them can jump in here and correct me, but I don't think they can claim that all their internal findings are reliably (and meaningfully, in advisory form) disclosed.

Regardless: that's a good point. I should have said, public disclosure of internal findings is not an industry norm. Mozilla is a good counterexample to the argument that everyone close-holds internal findings.

[bzbarsky]

That's a good point about advisories. All the findings are public eventually in the form of non-hidden bug reports, but not all may have advisories issued. Doubly so if the finding happens before the affected code had first shipped in a release (so buggy code gets checked in, then internal testing finds a security bug in it before it ships, and that bug is fixed).

[qarlow]

I don't think that is the point though so much as that Google has one standard for their internal findings and another for project zero, which also deals with other companies with the justification that it is better. Mozilla doesn't audit other companies so what they do with their internal finding isn't relevant for that argument. One can of course argue whether it is good, or justified, or not. But I don't think that changes that their is an argument there. If someone wanted to sue Google (ha!) over a project zero disclosure that is likely something they would try to argue. That Google knows that disclosing has consequences.

[mccr8]

I could be mistaken, but I think internally reported issues that don't make it to release aren't assigned CVE numbers, which might be what he means by "disclosed".

Of course, as you say, we do rate almost all security issues, and eventually make them public, so the information is only a bugzilla search away! https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-critic...

[Jasper_]

Google's goal with Project Zero is supposedly to raise the stakes in security. I'm happy they're doing it, but if they're going to enforce a non-negotiable 90 days public disclosure policy, it leaves a bad taste in my mouth when Google itself doesn't care to follow that for their own services.

Project Zero has long maintained that any serious company should be able to meet 90 day disclosure timeframe, and yet here comes Google+...

[ijpoijpoihpiuoh]

Project Zero was not the group that discovered the G+ vulnerability, though. Project Zero's terms do not bind other teams within the company who have not agreed to them.

[kps]

But it's not non-negotiable. https://bugs.chromium.org/p/project-zero/issues/list?can=1&q...

[bduerst]

The Google+ API issue wasn't a breach, but a vulnerability that was identified and patched within a week, before announcing publicly.

How is that different?

[toyg]

This is complete whataboutery.

Disclosure is one thing, remediation is another. The former is only instrumental to the latter. In the G+ leak, remediation was swift; so disclosure was not required.

(Btw, the affected accounts were 500K, reportedly, not millions.)

[lern_too_spel]

That was not discovered by P0. If P0 found it, there is no reason to believe they wouldn't have disclosed in 90 days.

[rootusrootus]

Apple has a bug bounty program, yes? Are they paying Google for these?

[devrand]

Project Zero does not accept bounties. They generally ask for the money to be donated.

[rootusrootus]

Makes sense. The bug bounty is meaningful money to an individual but it's just a pittance to Google.

[saagarjha]

I'd assume it also helps avoid the perception of a conflict of interest.

[saagarjha]

Apple's program has a few very specific classes of bugs that they pay out bounties for: these bugs probably don't qualify.

[bobviolier]

Probably not. I think that most of those bounties can only be redeemed when you sign an NDA.

[jefftk]

Who requires an NDA? I don't believe Google does: https://www.google.com/about/appsecurity/reward-program/

(Disclosure: I work for Google)

[bobviolier]

I meant the NDA from the party where the bug is reported, Apple in this case.

[gravelordnito]

Yeah, all they get in return is the chance to shit on competitors and possibly leave their customers open to harm, while getting lauded by the people who still think google isn't evil.

[VikingCoder]

The company with the bug is leaving their customers open to harm.

And Project Zero has notified that company of their problem.

If the company fixes their problem in a reasonable amount of time, then it's a Win-Win-Win. The users, the company, and Project Zero all win.

If you blame anyone but the companies with bugs that can't fix them in a reasonable amount of time, then your priorities are dead wrong.

[cameronbrown]

So what. I don't personally care if a company's marketing is affected - we as consumers have the right to know if iMessage or other protocols aren't secure. This is in the public interest and I'm glad Google's doing this. Apple can start their own Project Zero investigating Android if they want.

[Wowfunhappy]

I agree that it's basically marketing, but what is the societal harm? That it makes Apple look bad?

Remember, it's not like others would stop looking for these exploits if Google did.

[cptskippy]

You're assuming they're exposing the bugs for everyone's benefit when that might just be a side effect.

Does Google harming the reputation of a competitor for it's own advantage not cause some societal harm? Or are we still pretending that some businesses are working in our best interests?

[Wowfunhappy]

> Does Google harming the reputation of a competitor for it's own advantage not cause some societal harm?

If they're harming the competitor's reputation by exposing a legitimate flaw in the competitor's product, I don't think that causes societal harm, no.

Apple could open up their own Project Zero, if they wanted to. Then you'd have two competing companies making each other better, which sounds to me like the ideal of the free market.

[tialaramex]

> Apple could open up their own Project Zero, if they wanted to

Need the right people and perhaps just as importantly the right internal politics.

Lots of businesses struggle with the idea that when the Big Boss says something false it might be OK for a lowly employee to contradict them. I expect that even if Tim Cook thinks he'd be OK with hearing from an Apple engineer that their new product is garbage, Tim's immediate reports will ensure that engineer is fired before news reaches Tim so he thinks it never happens.

What you want in a good company is the CEO takes the bullet. Something bad happened? That's my fault, the buck stops here, I will make sure we do better next time. Big loss? Cut my salary and zero all executive bonuses until we turn it around.

What you see most often is throwing employees under the bus. Something bad happened? We fired the people responsible, I'm putting somebody else on this (read: I am preparing to throw this new person under a bus too). Profits a bit less than anticipated? Fire 1000 people essentially at random to show I'm focused on the problem.

[kortilla]

>they're harming the competitor's reputation by exposing a legitimate flaw in the competitor's product, I don't think that causes societal harm, no.

Well it’s not necessarily that simple. Exposing a flaw without adequate time to develop a fix could cause net societal harm. This is especially true if it’s a bug that would have been discovered and fixed internally without any public disclosure.

[Wowfunhappy]

Overall, sure, but Project Zero follows responsible disclosure.

[cptskippy]

Calling something "responsible" doesn't make it so. When Google first started this "responsible" disclosure in October of 2014 with Microsoft, Microsoft had a fix setup to be released on Patch Tuesday and asked Google if they could wait to disclose it until then. A mere two days. Google refused and released details on Sunday.

How was releasing the details 2 days early responsible or beneficial? At best it got customers worked up and made them question Microsoft's patch policies.

Do you think in the intervening 2 days anyone took any actions knowing the patch would arrive Tuesday?

Google hides behind "responsible disclosure" as an excuse for using Project Zero tactically to do PR damage to competitors.

[cptskippy]

> If they're harming the competitor's reputation by exposing a legitimate flaw in the competitor's product, I don't think that causes societal harm, no.

The act of rapid public disclosure compels the target to shift resources and focus to respond to those potential dumps. This can negatively impact the company's strategically and put them in damage control mode.

In the case of Apple, they're not the dominant platform and are trying to pivot to be seen as the the secure and private platform. Google is damaging their credibility with that pivot by investing in finding vulnerabilities in their products and rapidly disclosing them.

Short term this could improve the product but long term it could damage Apple's reputation and further diminish their market share and solidifying Google's.

If Google were funding an independent research team tasked with securing the internet and platforms for the greater good that would be fine. But that isn't Project Zero. Project Zero is a weapon wielded by a company trying to protect it's monopoly.

[greycol]

Yes but if Apple is trying to "be seen as the secure and private platform" then really from a consumers point of view they should be diverting resources to being secure and private.

The fact that this is possibly two faced by google doesn't change the fact that it is a net good if Apple is sincere in their pivot, because they'd want this dealt with anyway and they get them highlighted for free. If Apple just want to be "seen" as secure and private without actually making it so then it's good that it's being exposed as hollow words.

You 'may' have a point with smaller competitors to Google but really Apple is a large enough target that there are other capable threats targeting them that will use these vulnerabilities for worse than just keeping them in line with their marketing material.

[cptskippy]

I don't understand why this is an either or type scenario. Apple should be focusing on security as you've stated, AND Google uses Project Zero as a tactical weapon.

[Kalium]

OK. In your mind, what's the ethically correct way to do security research into major company's products and disclose what you might find?

[cptskippy]

And independent nonprofit organization with a clear mission statement and no ulterior motives. Not Google Employees operating under the oversight of Google management.

[zerocrates]

What's nasty about what they're doing here?

[d2mw]

They pay a team to embarrass competitors. The technical aspect is a small part of what is happening here.

[kps]

… and to embarrass themselves? https://bugs.chromium.org/p/project-zero/issues/list?q=vendo...

[ChrisSD]

I wish my competitors "embarrassed" me by helping to improve my software for free.

[angulardementia]

So you don't view this as Apple getting free whitehat testing and a chance to not get hacked? I think there are two viewpoints you could take here and I think the truth is directly in the middle.

[grenoire]

Competitors should be embarrassed when it concerns security flaws. It's one of the best ways to generate media buzz and inform customers about the flaws, and also their consequences.

[jcims]

There are many possible motivations for Project Zero, and the reality is that more than one is likely responsible for the inception and ongoing sponsorship of the team's membership and activity.

What made you settle on this specific one?

[computerex]

Why are the downvotes confusing? You are making completely unsubstantiated claims.

[UncleMeat]

Brutal?

90 days is unbelievably conservative. It's frankly ridiculous. Imagine you found weaknesses in a bridge. 90 days to disclose would be insane.

[pvg]

these downvotes are confusing.

You should check out

https://news.ycombinator.com/newsguidelines.html

for some answers.

[tangue]

90 days is enough to divert your next sprint from "Build new 3d Emojis" to "fix critical bugs". Of course it's not the same thing, but in the end : same company, same budget : just a question of priorities ... Project Zero is the stick. I still don't know what the carrot is.

[lawnchair_larry]

It isn’t marketing and it isn’t brutal. It’s closer to charity.