I do care and echo R_NZ and Jan's sentiments. I do realize that a
responsible policy or process could look something like:
1. Collect/find vulnerability (V)
2. Inform device manufacturers & partners (P) first, if V is critical
3. Agree on the fix (F) and delivery vehicle/time (T)
4. Push F at T
1. Or ensure P members push F
5. Disclose the V and F sometime after T
Lack of response from the Google team on this topic is out of character.
I've never liked the following strategy but there are situations like this
that encourage white hats and security researchers to find a vulnerability,
call the vendors and give them only 24 hours to fix, and then disclose the
details next day in IRC. This is an opportunity for the Android team to work
closer and in a more open manner with the community.
-Hadi
This email reflects my personal opinion.
On Sun, Jan 16, 2011 at 5:39 AM, Jan Niggemann <[email protected]>wrote:
> The problem is that you don't realize that there are issues to be patched
> or bugs to be fixed in the first place!
>
> I already tried to bring attention to that problem, please read this thread
> and draw your own conclusions.
>
> http://groups.google.com/group/android-security-discuss/browse_thread/thread/8502e95086b9552e/73e21c85b75f7062?hl=en#73e21c85b75f7062
>
> I'm still using my android phone 'cause it was an expensive device, but the
> only one I'll remotely consider will be one from Google itself. At least you
> can be sure to get some updates.
>
> As much as I dislike them, Microsoft really did well with the update
> mechanism for their phone OS...
>
> I'm still waiting for these issues to be resolved:
> - Google doesn't provide information about security problems (mailing list,
> google group, web page)
> - Google has no means to force the manufacturers to push out updates to the
> phones
> - You have no means to get updates on your own either
>
> 2011/1/14 R_NZ <[email protected]>
>
> In practice it looks like no-one has cared about it since day one.
>>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To post to this group, send email to
> [email protected].
> To unsubscribe from this group, send email to
> [email protected]<android-security-discuss%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
