Not much experience filing security bugs with other companies (although I do have some) but my experience with Google is they tend to take way longer than the 90 days they use for Project Zero.
Waiting 150+ days after they close a supposed duplicate for the fix isn't very fun.
Conversation
They'd probably imply it has something to do with COVID but I think they just need to hire more people, either let them work from home or give them actual offices + let them spend more time doing work instead of having meetings all day. Maybe they'd actually get stuff done then.
2
1
Also have an unfixed vulnerability they've marked as High severity which I filed in October 2020.
I'd report way more issues if they didn't close most of them as either Duplicate or Won't Fix (Infeasible), or at least acted faster on ones they consider valid issue reports.
read image description
ALT
1
1
Those are just the ones I've reported myself. I usually get other GrapheneOS project members to report them and then they can theoretically get some extra income via the bug bounties. Theoretically, if someone at Google actually reads it and they actually decide to fix the bug.
1
Won't Fix (Obsolete) either means they forgot to close the bug or they took too long to deal with it and now the code is deleted. For one of those they paid me 4000 USD but didn't remember to mark it Fixed.
Sometimes they forget to fix bugs they publish in their bulletins...
1
1
Agree... trolling the aosp bugtrack for issues was always an easy way to get pocs/target areas for rce development
1
1
has been going through the bulletins and finding cases where they forgot to actually fix the issues. It's a regular occurrence. You would think that Google could afford to pay someone to do that, but no.
2
3
Yeah it is rather shocking to see it happen. I was in disbelief when I found the first such occurrence of a bug.
2
2
It's pretty frustrating when despite me literally giving links to bulletins and commits that they somehow didn't understand the issue at hand. Though interestingly one of my reports did get closed as "A Google engineer has found this internally" so _maybe_ someone is looking?
1
1
It may mean that they're aware the issue is already fixed but don't understand that the actual problem is they forgot to fix it for at least one of the Pixel phones. It's really hard to decipher what their broken telephone messages mean. It'd be nice to see the real discussion.
1
1
labs.taszk.io/blog/post/61_a is a nice example of them closing a bug as a duplicate which leads to cutting off information from the reporter of the supposed duplicate and in this case lost them coordinated disclosure. Could be handled much better.
They miss their own 90 day disclosure timeline target more often than not seemingly largely due to all the bureaucracy and overly lengthy certification/testing processes. Everything also gets broadly disclosed to pretty much everyone 30 days in advance of the monthly updates too.
1