[arkem]

Disclaimer: I wasn't involved in this particular bug at all so I'm speaking generally.

We definitely don't play the blame game but we do keep track of bug statistics so we know where best to spend our time and effort. It can be useful to know that projects using framework X have more issues than framework Y or that maybe we should arrange to run some security classes at office Z.

Bugs like this one are fixed with the help of the product team, they're usually the ones writing and pushing the fix (since they know the project best) and it's a good way to get some practical security experience spread around the organization (and increase awareness).

We do write post-mortems for serious issues to delve into the root cause and to help stop it from happening again. We have a lot of initiatives in place to improve the security of our products overall through both awareness raising (training, newsletters, security puzzles) and technology changes (scanners, static analysis, framework hardening).

P.S We're always looking for security people to join us at Google (send me your resume, email in profile) or by bug hunting for bugs to submit to our vulnerability reward program.