You're assuming they're exposing the bugs for everyone's benefit when that might just be a side effect.
Does Google harming the reputation of a competitor for it's own advantage not cause some societal harm? Or are we still pretending that some businesses are working in our best interests?
> Does Google harming the reputation of a competitor for it's own advantage not cause some societal harm?
If they're harming the competitor's reputation by exposing a legitimate flaw in the competitor's product, I don't think that causes societal harm, no.
Apple could open up their own Project Zero, if they wanted to. Then you'd have two competing companies making each other better, which sounds to me like the ideal of the free market.
> Apple could open up their own Project Zero, if they wanted to
Need the right people and perhaps just as importantly the right internal politics.
Lots of businesses struggle with the idea that when the Big Boss says something false it might be OK for a lowly employee to contradict them. I expect that even if Tim Cook thinks he'd be OK with hearing from an Apple engineer that their new product is garbage, Tim's immediate reports will ensure that engineer is fired before news reaches Tim so he thinks it never happens.
What you want in a good company is the CEO takes the bullet. Something bad happened? That's my fault, the buck stops here, I will make sure we do better next time. Big loss? Cut my salary and zero all executive bonuses until we turn it around.
What you see most often is throwing employees under the bus. Something bad happened? We fired the people responsible, I'm putting somebody else on this (read: I am preparing to throw this new person under a bus too). Profits a bit less than anticipated? Fire 1000 people essentially at random to show I'm focused on the problem.
>they're harming the competitor's reputation by exposing a legitimate flaw in the competitor's product, I don't think that causes societal harm, no.
Well it’s not necessarily that simple. Exposing a flaw without adequate time to develop a fix could cause net societal harm. This is especially true if it’s a bug that would have been discovered and fixed internally without any public disclosure.
Calling something "responsible" doesn't make it so. When Google first started this "responsible" disclosure in October of 2014 with Microsoft, Microsoft had a fix setup to be released on Patch Tuesday and asked Google if they could wait to disclose it until then. A mere two days. Google refused and released details on Sunday.
How was releasing the details 2 days early responsible or beneficial? At best it got customers worked up and made them question Microsoft's patch policies.
Do you think in the intervening 2 days anyone took any actions knowing the patch would arrive Tuesday?
Google hides behind "responsible disclosure" as an excuse for using Project Zero tactically to do PR damage to competitors.
> If they're harming the competitor's reputation by exposing a legitimate flaw in the competitor's product, I don't think that causes societal harm, no.
The act of rapid public disclosure compels the target to shift resources and focus to respond to those potential dumps. This can negatively impact the company's strategically and put them in damage control mode.
In the case of Apple, they're not the dominant platform and are trying to pivot to be seen as the the secure and private platform. Google is damaging their credibility with that pivot by investing in finding vulnerabilities in their products and rapidly disclosing them.
Short term this could improve the product but long term it could damage Apple's reputation and further diminish their market share and solidifying Google's.
If Google were funding an independent research team tasked with securing the internet and platforms for the greater good that would be fine. But that isn't Project Zero. Project Zero is a weapon wielded by a company trying to protect it's monopoly.
Yes but if Apple is trying to "be seen as the secure and private platform" then really from a consumers point of view they should be diverting resources to being secure and private.
The fact that this is possibly two faced by google doesn't change the fact that it is a net good if Apple is sincere in their pivot, because they'd want this dealt with anyway and they get them highlighted for free. If Apple just want to be "seen" as secure and private without actually making it so then it's good that it's being exposed as hollow words.
You 'may' have a point with smaller competitors to Google but really Apple is a large enough target that there are other capable threats targeting them that will use these vulnerabilities for worse than just keeping them in line with their marketing material.
I don't understand why this is an either or type scenario. Apple should be focusing on security as you've stated, AND Google uses Project Zero as a tactical weapon.
And independent nonprofit organization with a clear mission statement and no ulterior motives. Not Google Employees operating under the oversight of Google management.
Does Google harming the reputation of a competitor for it's own advantage not cause some societal harm? Or are we still pretending that some businesses are working in our best interests?