[fzltrp]

The insight there is that one should always try to wrap criticism with praises: people don't like being told that they suck at their job, even if it's true. If instead of showing themselves as destructors, they'd adopted an image of mentors or teachers, things would've gone way better. Hopefully Google's Project Zero will be wiser than the IBM team on this point.

Note that this is even truer when criticism comes from an outsider, and Google's team will be doing exactly that. If they also deal with companies whose culture is very much reputation based (like in Asia), they'll have to be even more cautious.

[x1798DE]

I think providing unsolicited advice is always going to be fraught. Showing up as "mentors" and "teachers" is not going to go over well if the person you show up to teach thinks that you don't know what you're talking about. It's certainly possible that a lot of people will welcome the help, but it seems just as likely that people will say, "You come in here and think that you know our applications, but you don't know the history and the specific compromises we decided to make, etc, etc."

One problem I think is that no one ever writes the story of the major bug that got fixed in time. If you could just check the counter-factual of what would happen without security upgrades, a team like this could build a reputation for saving a company millions of dollars and reams of bad PR, and they'd be more likely to be welcomed. As it is, it can be easy for entrenched interests to make the case that security-minded people are just obsessive because, "Hey, we haven't had a breach yet!"

[fzltrp]

I meant that mentor thing in the context of IBM. I agree that it would not be much better in the case of Project Zero.

That said, I still think that a positive approach (positive criticism) cannot be worse than plain critics.

> "You come in here and think that you know our applications, but you don't know the history and the specific compromises we decided to make, etc, etc."

That's exactly the sort of answers that team should prep for: it is obvious to me that whatever compromise I made for my software stack, if there's a security issue, I will have to reconsider them. The whole point is to not rub it up my face for me to accept the issue more easily (not everyone is an adept of egoless programming). I was also saying that with the perspective of the Sony situation: in Japan, losing face is an extremely serious matter. I don't know how this situation was handled by this guy though: perhaps he did all he could to manage their feelings. It's clear to me though that doing it the IBM black team way did is a recipe for failure.