Hacker News new | past | comments | ask | show | jobs | submit login

> For example; If Google finds a bug in your product YOU get 90 days before they put you on blast in front of 8 billion people.

https://www.vice.com/en_us/article/7xqdxe/google-project-zer...

https://www.csoonline.com/article/2867534/microsoft-blasts-g...

Here are Google's many contradictory policies about disclosure. Notice the many discrepancies...

https://googleprojectzero.blogspot.com/p/vulnerability-discl...

https://security.googleblog.com/2010/07/rebooting-responsibl...

https://sites.google.com/site/bughunteruniversity/nonvuln

https://www.google.com/about/appsecurity/reward-program/

https://www.google.com/about/appsecurity/

https://googleprojectzero.blogspot.com/p/vulnerability-discl...

> But if you find a bug in GOOGLE'S product and put them on blast YOU will find yourself in court.

Maybe a bit of a dramatization, but the point remains. If Google finds a bug in your product: Your policy is moot. They follow their policy. If you find a bug in their product you are expected to follow their policy.

In the case of Apple their "security professionals" will make jokes about you on Twitter and in the case of Microsoft they just do whatever the fuck they want. "Your patches come out on Tuesday, huh? Well that's 92 days, big-guy! Tough break..."




> Maybe a bit of a dramatization

There's dramatization, and there's outright lying. Nothing will happen to you if you follow your own disclosure policy instead of Google's.

If you also want to participate in the program where you get paid by Google, then sure, you have to play by some of their rules. Similarly, nowhere does Project Zero say they expect to get paid if they don't follow the vendor's rules.


> If you find a bug in their product you are expected to follow their policy.

Is their policy more than 90 days? Yes? Fuck 'em; post everything everywhere.


It's not; from parent's own links: "We of course expect to be held to the same standards ourselves."


* impolitecough *

Great, then they should start pushing OS security patches out to devices instead of handing them to manufacturers and carriers and washing their hands of them.


They have started that. That's why more and more of Android has been moved to Google Play Services.

Coincidentally, that's one of the reasons why being denied use of Android is such an obstacle for Huawei, even though it's "open source".


You forgot to include "with pre-built exploit tooling built around what he explicitly said he spent a lot of time on."

Project Zero has done some great things and improved a lot of security, but this feels like a spiteful slap at a competitor. It's not Google is really vulnerable to the same kind of thing, they've long since shown that the security of older versions of their only real public OS is not their concern.


> You forgot to include "with pre-built exploit tooling built around what he explicitly said he spent a lot of time on."

No I didn't; I said everything and I meant everything. If anything, 90 days is overly generous to Google. If they can't get their shit together in three bloody months, fuck them. Of course, this is Google, so fuck them regardless, but this way you have obvious moral high ground.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: