|
|
|
|
|
|
by ctz
2303 days ago
|
|
|
I think Google's handling of security issues in Android has been badly broken for quite a while now. Here's a timeline from another security bug in the same (security critical!) subsystem: - 2014-02-24 AM - Discovery.
- 2014-02-24 PM - Vendor notification.
- 2014-02-24 PM - Vendor acknowledgement and confirmation.
- 2014-02-26 - Attempt to setup coordinated disclosure (no response).
- 2014-04-07 - Public disclosure.
- 2014-10-17 - Response from Android security team offering line in Android security - acknowledgements.
- 2014-11-03 - Verified fixed in Android Lollipop.
(The impact of this bug was keystore material leakage between apps. No CVE was assigned!)That was a long time ago, and of course two anecdotes aren't data. But it makes it all the more interesting to read Project Zero's frustration with poor disclosure practices by others. |
|
|