Conversation

without this there’s nothing stopping vendors from saying “we already knew about this lol” for every critical vuln. it’s time to treat researchers fairly
Quote Tweet
Replying to @h0mbre_
I feel like it should be in a platform's interest to make sure a vendor provides evidence about known vulnerabilities.
3
43
Replying to
Most of the bugs that I report to Google get closed as duplicates. It's even more frustrating now that I don't care much about the bug bounties. I'm convinced that a decent amount of the time, they're misunderstanding what I reported. Can't see the supposed duplicate to check...
1
4
Replying to and
We can't fix or work around most firmware issues in their hardware ourselves in GrapheneOS. Need them to listen, understand and fix it. I have a bug that I reported in the Titan M firmware on Oct 19, 2020 which is minor in terms of security but quite annoying when using it...
1
3
Replying to and
Not much experience filing security bugs with other companies (although I do have some) but my experience with Google is they tend to take way longer than the 90 days they use for Project Zero. Waiting 150+ days after they close a supposed duplicate for the fix isn't very fun.
1
2
Replying to and
They'd probably imply it has something to do with COVID but I think they just need to hire more people, either let them work from home or give them actual offices + let them spend more time doing work instead of having meetings all day. Maybe they'd actually get stuff done then.
2
1
Replying to and
Also have an unfixed vulnerability they've marked as High severity which I filed in October 2020. I'd report way more issues if they didn't close most of them as either Duplicate or Won't Fix (Infeasible), or at least acted faster on ones they consider valid issue reports.
Android bug status showing many issues closed as Won't Fix (Infeasible) or Duplicate.
1
1
Replying to and
Those are just the ones I've reported myself. I usually get other GrapheneOS project members to report them and then they can theoretically get some extra income via the bug bounties. Theoretically, if someone at Google actually reads it and they actually decide to fix the bug.
1
Replying to and
Won't Fix (Obsolete) either means they forgot to close the bug or they took too long to deal with it and now the code is deleted. For one of those they paid me 4000 USD but didn't remember to mark it Fixed. Sometimes they forget to fix bugs they publish in their bulletins...
1
1
Show replies