Conversation

without this there’s nothing stopping vendors from saying “we already knew about this lol” for every critical vuln. it’s time to treat researchers fairly

Quote Tweet

Rado RC1

@RabbitPro

Sep 9, 2021

Replying to @h0mbre_

I feel like it should be in a platform's interest to make sure a vendor provides evidence about known vulnerabilities.

Replying to

Most of the bugs that I report to Google get closed as duplicates. It's even more frustrating now that I don't care much about the bug bounties. I'm convinced that a decent amount of the time, they're misunderstanding what I reported. Can't see the supposed duplicate to check...

Replying to

and

We can't fix or work around most firmware issues in their hardware ourselves in GrapheneOS. Need them to listen, understand and fix it. I have a bug that I reported in the Titan M firmware on Oct 19, 2020 which is minor in terms of security but quite annoying when using it...

9:52 PM · Sep 9, 2021Twitter Web App

Replying to

and

Not much experience filing security bugs with other companies (although I do have some) but my experience with Google is they tend to take way longer than the 90 days they use for Project Zero. Waiting 150+ days after they close a supposed duplicate for the fix isn't very fun.

Replying to

and

They'd probably imply it has something to do with COVID but I think they just need to hire more people, either let them work from home or give them actual offices + let them spend more time doing work instead of having meetings all day. Maybe they'd actually get stuff done then.

Show replies