Comment by 827a
3 days ago
Is the implication at the end that Google has not actually fixed this issue yet? This is really bad; a massive oversight, very clearly caused by a rush to get Gemini in customers' hands, and the remediation is in all likelihood going to nuke customer workflows by forcing them to disable keys. Extremely bad look for Google.
As I was reading it I didn't realize I was reading a security report, so I was like, is it responsible for them to be sharing this?
Then I saw the disclosure at the end and didn't get the sense that the flaw was fixed, so then I was still thinking... Is it responsible for them to be sharing this?
I'm glad that they did, because I can audit my own projects, but a bad actor may also be glad that they did.
The fact that we're hearing this first from a third-party and not from Google themselves is extremely problematic.
When I got to “the initial triage was frustrating; the report was dismissed as "Intended Behavior”” I thought well there’s no need to follow ‘responsible disclosure’ then, eh?
I would have been tempted to blog about it immediately. Companies already get a sweet deal by people finding bugs for free, reporting them for free, and voluntarily keeping quiet about them for free; researchers shouldn’t also have to fight to report problems (for free).