Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

... how about Google pays more for bug bounty. How about Google actually pays people who report bugs/vulnerabilities. How about Google hires talent that actively tests, discovers and mitigates vulnerabilities rather than pushing that responsibility off on "the community" for considerably less pay. You know: "ownership."

There's no "obligation" to report, other than ethics and integrity. That's it. Further, there still exists no obligation for companies to report vulnerabilities as CVEs.



> How about Google actually pays people who report bugs/vulnerabilities.

That's exactly what Google did. They paid the person who reported it and not discovered it. You can just follow the issue comments to get all your answers.

> So why is Google pushing a presser about Apple "not reporting a zero day"

Google did not release any "presser", they clarified the situation because there was some confusion about who discovered/reported it - and it didn't even mention Apple: https://bugs.chromium.org/p/chromium/issues/detail?id=142786...

In fact, Google is still going to credit the Apple employee for finding it, because they reported it (1451211) after it was fixed: https://bugs.chromium.org/p/chromium/issues/detail?id=142786...


How about Google hires talent that actively tests, discovers and mitigates vulnerabilities

That's Project Zero: https://googleprojectzero.blogspot.com/

https://en.wikipedia.org/wiki/Project_Zero


https://googleprojectzero.blogspot.com/p/about-project-zero....


Exactly. So why is Google pushing a presser about Apple "not reporting a zero day" when they have a team (Project Zero) dedicated to discovery of zero days? Is it really that Apple employee's responsibility, or is it Google Project Zero employee's responsibility?


Google doesn't run TechCrunch ....

The best you can do is say Google says "this issue was reported by sisu from CTF team HXP and discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022, which will be acknowledged in the security fix notes for the appropriate Stable channel release at the time they are updated" [1] which really is a nothingburger.

[1]: https://bugs.chromium.org/p/chromium/issues/detail?id=142786...


It's everybody's responsibility to make a safer world.

project zero researches vulns in their competitors and responsibly reports them.

So why is Apple not reporting vulns to others when others are reporting to them?


> So why is Apple not reporting vulns to others when others are reporting to them?

The article includes an explanation. It seems plausible.


almost 3 months to find the right person, get the signatures, and deal with OOO

Meanwhile another person reported in a timely manner.

plausible versus reasonable?


This is apple we're talking about. Some times magnificent, other (most?) times unable to get out of its own way, especially when it doesn't have a process for X. And anything that involves saying anything in public...

Obviously they think their silos of secrecy are a net positive, but really I wonder. I do consider them the greatest, or one of the greatest execution machines in business, but I also think that's despite themselves.


> It's everybody's responsibility to make a safer world.

> project zero researches vulns in their competitors and responsibly reports them.

I agree. Project Zero is a talented group.


I'm confused. Are you suggesting that having a team dedicated to discovering zero days means that this team will discover all zero days that could possibly exist?

Or even, that they will discover all zero days that will be discovered before anyone else discovers them?


No one is perfect. No organization is perfect. US tech companies actively collaborate to improve security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: