On Tue, Aug 27, 2013 at 10:14 AM, Brian Carlstrom <b...@google.com> wrote:
> I wouldn't recommend https://code.google.com/p/android/issues/. We can > mark issues private, but I don't think reporters can on initial > submission. The "Android Security FAQ" says to email > secur...@android.com, see below for more. > If you visit "https://code.google.com/p/android/issues/entry"; and select the "Security bug report" template, the resulting bug will be marked private and only viewable to the Android team. It won't be public until the private label is removed. Having said that, secur...@android.com is the preferred route to handle security bugs. > > -bri > > http://developer.android.com/guide/faq/security.html > > I think I found a security flaw. How do I report it? > > ________________________________ > > You can reach the Android security team at secur...@android.com. If > you like, you can protect your message using our PGP key. > > We appreciate researchers practicing responsible disclosure by > emailing us with a detailed summary of the issue and keeping the issue > confidential while users are at risk. In return, we will make sure to > keep the researcher informed of our progress in issuing a fix. > > On Tue, Aug 27, 2013 at 10:02 AM, Jeffrey Walton <noloa...@gmail.com> > wrote: > > On Mon, Aug 19, 2013 at 12:50 PM, James <james.col...@gmail.com> wrote: > >> Hi, > >> I've written a proof of concept apk that manages to send data back to my > >> server without the apk having the INTERNET permission. > >> What is the correct way to disclose this vulnerability? Or is this > already > >> known? > > https://code.google.com/p/android/issues/. I believe there's a > > "security" checkbox that keeps it private until AOSP decides upon > > disposition. > > > >> Or is this already known? > > Now how are we supposed to be able to answer that without seeing the > > bug or POC :) > > > > Jeff > > > > -- > > You received this message because you are subscribed to the Google > Groups "Android Security Discussions" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to android-security-discuss+unsubscr...@googlegroups.com. > > To post to this group, send email to > android-security-discuss@googlegroups.com. > > Visit this group at > http://groups.google.com/group/android-security-discuss. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to android-security-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to > android-security-discuss@googlegroups.com. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/groups/opt_out. > -- Nick Kralevich | Android Security | n...@google.com | 650.214.4037 -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
