[HN Gopher] A walk through Project Zero metrics ___________________________________________________________________ A walk through Project Zero metrics Author : arkadiyt Score : 38 points Date : 2022-02-10 17:07 UTC (1 days ago) (HTM) web link (googleprojectzero.blogspot.com) (TXT) w3m dump (googleprojectzero.blogspot.com) | tptacek wrote: | This will sound very weird, but I kind of hate that they include | Google among the vendors they report to, provide a deadline and | grace period for, and track responses from. It's actually not | their responsibility to do anything like that; if Microsoft and | Apple are unhappy that P0 is targeting them, they should respond | by standing up their own P0 teams and hammering Google, rather | than having everyone operate under the fiction that it's OK for | Google to be the only major vendor doing this work. | | (I'm of course not saying P0 shouldn't target Google, just that | Google shouldn't have to be publicly accountable to Google P0). | lima wrote: | Why not? It really strengthens the message. | tptacek wrote: | I don't think it does strengthen the message, unless you | think Google does such a good job responding to P0 that | they're setting a standard Microsoft, Apple, and Adobe have | to adhere to, and I think that's pretty debatable (the really | important thing P0 does to set a standard is the 90 day | deadline). | xxpor wrote: | It prevents google execs from burying P0 reports to other | teams at Google though, which seems like the bigger risk? | [deleted] | xxpor wrote: | Could you expand more on why? | | At least to me, it seems like there's no _downside_ to publicly | tracking responses from Google itself. Ideally P0 should | operate mostly independently. | | Agreed that there should be more P0 like efforts from other | companies though. The more the merrier. | tptacek wrote: | I guess I'd start by saying I don't see the advantage to P0 | operating independently. Threads about P0 often devolve into | debates about conflicts of interest, but there's no conflict | here; every vendor has in principle the right to conduct | lawful vulnerability research against other vendors, | including competitors, and there's no ethical standard that | dictates what those vendors should choose to target. | | Google is, of course, ethically obligated to rigorously test | its own products, and if P0 has expertise that the other | security orgs at Google lacks, it's ethically obligated to | train that expertise on Google products. I'm just saying that | Google isn't ethically obligated to include itself in its | vendor tracking statistics. | shadowgovt wrote: | I agree there's no obligation, but including it gives other | people some assurance that P0 isn't going easy on its | patron. | pvg wrote: | What's the downside, though? It helps reinforce the message | that this work is a kind of public good rather than mere | corporate sniping and protects the reputation of the | researchers. It's a bummer it hasn't shamed other big companies | into organizing similar efforts but it would be even less | likely to do so if it was even easier to dismiss as some sort | of nefarious PR effort (not that this doesn't already happen). | olliej wrote: | I dislike many aspects of google, but project zero is not one of | them and has greatly improve the overall security of the | industry. | | Also their blogs describing how security exploits work are always | super interesting | [deleted] | r00fus wrote: | Is it meaningful to include "Linux" as a discrete vendor? How | would you compare an OSS project to a company like Microsoft or | Google? | that_guy_iain wrote: | The Linux Kernel is a product and the Linux Foundation is it's | vendor. I would assume they mean Them. Especially when they had | Red Hat and Cannonical in ,,other" | tester756 wrote: | that iOS vs Android table kinda makes no sense as they said | | iOS 76, Android Samsung 10, Android Pixel 6 | | >The first thing to note is that it appears that iOS received | remarkably more bug reports from Project Zero than any flavor of | Android did during this time period, but rather than an imbalance | in research target selection, this is more a reflection of how | Apple ships software. Security updates for "apps" such as | iMessage, Facetime, and Safari/WebKit are all shipped as part of | the OS updates, so we include those in the analysis of the | operating system. On the other hand, security updates for | standalone apps on Android happen through the Google Play Store, | so they are not included here in this analysis. | | so kinda what's the point of putting that column there? people | will use it as an argument that Android is safer :P | amscanne wrote: | There are advantages and disadvantages to bundling applications | with the core OS; having these security bugs become part of the | OS release vehicle (along with the heavyweight process that | implies) seems like a disadvantage. With respect to the table, | I think there's a decent argument either way. | gsmith7890 wrote: | What was the most serious vulnerability or set of vulnerabilities | identified by Project Zero? | UncleMeat wrote: | Spectre is probably the most interesting one. As of right now | it isn't as critical as other things since it is difficult to | actually exploit but its implications are gargantuan, similar | to the development of return-oriented-programming a while back. ___________________________________________________________________ (page generated 2022-02-11 23:00 UTC)