[Dshield] "Google flaw fixed before publication"
brian at dessent.net
Tue Oct 11 22:36:01 GMT 2005
Josh Tolley wrote:
> I've seen a couple blog/news/etc. postings now about how Google
> apparently fixed a security problem with their system before the
> company that initially reported the problem to Google went public with
> the details. I realize this is how vulnerability reporting is supposed
> to work, ie. Alice tells Bob about a flaw in his software and grants
> him some period of time to fix it before she goes public with the
> details, Bob fixes it, and encourages his users to patch/upgrade/etc.
> Does it happen that way so rarely that this really is news, or is this
> 1) Google trying to win the hearts of security geeks, 2) some reporter
> with nothing better to do, 3) something else entirely?
I would guess that this kind of thing happens relatively frequently, but
in most cases it's not newsworthy. It's especially so when the affected
code is a proprietary back-end as in this case, because once fixed there
really is little reason for the discoverer to report the flaw -- unlesss
they just want credit. Since there is only one site running this code,
and that site has been fixed, the typical need to inform other users
(e.g. so they can patch too) of the problem does not exist. So I
imagine that this kind of thing happens all the time without anyone ever
In this case it's probably newsworthy because Google is a huge company
that is watched like a hawk by many. It's also the darling of geeks
everywhere and they know that revealing that they fixed the reported
flaw in two days will further that reputation. But, for example when
those XSS vulns were discovered on hotmail, that was a big news story
too, for similar reasons probably. I don't remember what their response
time was, but I seem to recall that it was under a week. But in that
case it was much more of a "ha-ha look at MS, they can't write code"
versus "all praise google and its quick response."
More information about the list