Hi, citing http://developer.android.com/guide/appendix/faq/security.html#informed "We will publicly announce security bugs when the fixes are available via postings to the android-security-announce group on Google Groups."
That particular group is empty (except for a welcome post). I can hardly believe that there were no security bugs in the past - or are they all unfixed and therefore not published? Anyway, Google (through his employee Tavis Ormandy), goes for "responsible disclosure": "Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. [...] We of course expect to be held to the same standards ourselves."* If I remember correctly, Google is a huge player in the Open Handset Alliance. Applying this policy to Android security would lead me to the conclusion that there are no security relevant bugs in Android that are older than 60 days. Is that true? Regards jan *http://googleonlinesecurity.blogspot.com/2010/07/rebooting- responsible-disclosure-focus.html -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
