Hacker News new | ask | show | jobs
by RedComet 2304 days ago
Another case of Google not following their own rules. But they're happy to hang others out to dry when they exceed 90 days.
4 comments
pvg 2304 days ago
In what way did they violate their own rules? Google didn't prevent the researcher from disclosing and the researcher could have disclosed - the timeline describes requests, not demands. For reference, Project Zero's disclosure FAQ:

https://googleprojectzero.blogspot.com/p/vulnerability-discl...

There are several cases in which deadlines were extended way beyond 90 days. And in the post itself, the researcher points out they could (and, in hindsight, feel they should) have imposed a hard 90 day deadline.

link
sneak 2304 days ago
Disclosure doesn’t hang anyone out to dry. Any advance notice to a vendor before publication is a courtesy.

You are not obligated to keep any secrets about your own research into a product that has been publicly released for everyone to do research on.

link
izacus 2304 days ago
Can you explain where you see that? In the post itself it says that Google offered coordinated disclosure at 90day mark?
link
bArray 2304 days ago
Yep I fully agree, you can't hold others to a standard you're not willing to hold yourself to. I specifically remember Microsoft begging for more time on a bug.

Also if I understood it correctly, it seems as though some devices may require a factory reset to apply the new firmware? If so, for a lot of devices this still isn't fixed.

link
alexbakker 2304 days ago
The big question is indeed how many devices got themselves into this 'bad state'. Your guess is as good as mine.
link