Conversation

without this there’s nothing stopping vendors from saying “we already knew about this lol” for every critical vuln. it’s time to treat researchers fairly

Quote Tweet

Rado RC1

@RabbitPro

Sep 9, 2021

Replying to @h0mbre_

I feel like it should be in a platform's interest to make sure a vendor provides evidence about known vulnerabilities.

Replying to

Most of the bugs that I report to Google get closed as duplicates. It's even more frustrating now that I don't care much about the bug bounties. I'm convinced that a decent amount of the time, they're misunderstanding what I reported. Can't see the supposed duplicate to check...

Replying to

and

We can't fix or work around most firmware issues in their hardware ourselves in GrapheneOS. Need them to listen, understand and fix it. I have a bug that I reported in the Titan M firmware on Oct 19, 2020 which is minor in terms of security but quite annoying when using it...

Replying to

and

Not much experience filing security bugs with other companies (although I do have some) but my experience with Google is they tend to take way longer than the 90 days they use for Project Zero. Waiting 150+ days after they close a supposed duplicate for the fix isn't very fun.

Replying to

and

They'd probably imply it has something to do with COVID but I think they just need to hire more people, either let them work from home or give them actual offices + let them spend more time doing work instead of having meetings all day. Maybe they'd actually get stuff done then.

Replying to

and

Also have an unfixed vulnerability they've marked as High severity which I filed in October 2020. I'd report way more issues if they didn't close most of them as either Duplicate or Won't Fix (Infeasible), or at least acted faster on ones they consider valid issue reports.

Android bug status showing many issues closed as Won't Fix (Infeasible) or Duplicate.

read image description

ALT

Replying to

and

Those are just the ones I've reported myself. I usually get other GrapheneOS project members to report them and then they can theoretically get some extra income via the bug bounties. Theoretically, if someone at Google actually reads it and they actually decide to fix the bug.

Replying to

and

Won't Fix (Obsolete) either means they forgot to close the bug or they took too long to deal with it and now the code is deleted. For one of those they paid me 4000 USD but didn't remember to mark it Fixed. Sometimes they forget to fix bugs they publish in their bulletins...

Replying to

and

Agree... trolling the aosp bugtrack for issues was always an easy way to get pocs/target areas for rce development

Replying to

and

has been going through the bulletins and finding cases where they forgot to actually fix the issues. It's a regular occurrence. You would think that Google could afford to pay someone to do that, but no.

10:48 PM · Sep 9, 2021Twitter Web App

Replying to

and

Huberus

Replying to

and

Yeah it is rather shocking to see it happen. I was in disbelief when I found the first such occurrence of a bug.

Replying to

It's pretty frustrating when despite me literally giving links to bulletins and commits that they somehow didn't understand the issue at hand. Though interestingly one of my reports did get closed as "A Google engineer has found this internally" so _maybe_ someone is looking?

Show replies