Comment by abustamam
3 days ago
As I was reading it I didn't realize I was reading a security report, so I was like, is it responsible for them to be sharing this?
Then I saw the disclosure at the end and didn't get the sense that the flaw was fixed, so then I was still thinking... Is it responsible for them to be sharing this?
I'm glad that they did, because I can audit my own projects, but a bad actor may also be glad that they did.
The fact that we're hearing this first from a third-party and not from Google themselves is extremely problematic.
When I got to “the initial triage was frustrating; the report was dismissed as "Intended Behavior”” I thought well there’s no need to follow ‘responsible disclosure’ then, eh?
I would have been tempted to blog about it immediately. Companies already get a sweet deal by people finding bugs for free, reporting them for free, and voluntarily keeping quiet about them for free; researchers shouldn’t also have to fight to report problems (for free).