I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.
I think it's a step in the right direction, but it suffers from the same sort of arbitrariness as their previous policy.
So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"
I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.
Source Article from http://www.macrumors.com/2015/02/16/google-project-zero-disclosure-policy/
Google Relaxes Project Zero Bug Disclosure Policy
No comments:
Post a Comment