July 31st - Author noticed patch was not sufficient but could not test (did not notify google)
August 6th - Patch released
August 7th - Author notified google that patch was not adequate
August 13th - Author went public?!?!
They are counting the original date of exploitation as the start date for notification. I would think a more responsible and friendly date would be August 7th. Just me.
I sympathise with your point, but one complicating factor is that when big security vulnerabilities like Stagefright are found a lot of people then turn their attention to that code. Either finding other issues in the same code, or that the patch isn't fully effective. It was similar with Shellshock, where there was a series of patches as more issues were found because suddenly people were looking at this bit of code that had previously been uninteresting.
I'm not sure keeping it secret for long serves much purpose in this kind of situation; the eye of Sauron is already gazing on the code in question. I doubt these people were the only ones to notice that the patch didn't completely fix the problem.
Perhaps I am more alarmed by the assertion of the author that they had given 100+ days notice... it came off like they talking about the patch and not the original issue.
OTOH, it's highly likely that other people already found this. So by disclosing now, they are still helping users by making sure they don't think this bug was fixed.
But they shouldn't try to justify it based on the timelines. Especially if they noticed a bug in the original patch, but held off on saying anything.
At the same time.... It's business. They didn't act maliciously (exploiting or selling the exploit to bad actors). If the way to build a career is to rack up CVEs, well then that's what people will do, right?
August 13th - Still no response from google(!), disclosing publicly.
Basically that's integer type overflow, the moment I saw the four line patch, I knew what it was going to be. Everyone else would see that too cause it's a classic and can modify whatever exploit code they already have in a matter of minutes to work again.
I have a nit too. I don't like the term "responsible" used in this context. I prefer coordinated if anything. The responsible as in responsible disclosure is such a loaded term.
By the severity and simplicity here as well as the attention from the recent talk, this was a fine course of events in my personal opinion.
What I wish would have happened is someone at google would have done a better code review and caught the bug, it's pretty glaring as these things go, but still it happens all the time so considering that the patches were simply applied the next option I wish would have happened otherwise is that someone at google would have responded. In a case like this I would have liked to see a day or two at the most.
But none of that happened and considering the other concerns laid-out in the post, releasing the info publicly after almost a week is pretty responsible.
I sympathize, but there weren't enough details for Joe Random to build an exploit. This was an attempt to apply pressure, and it did it in the right way, by telling people how they can defend themselves.
Unlike Shellshock which was all over the freaking place, neither I nor my colleagues have gotten any suspicious MMS messages.
April 2015 - Original stagefright exposed
July 31st - Author noticed patch was not sufficient but could not test (did not notify google)
August 6th - Patch released
August 7th - Author notified google that patch was not adequate
August 13th - Author went public?!?!
They are counting the original date of exploitation as the start date for notification. I would think a more responsible and friendly date would be August 7th. Just me.