new | ask | show | jobs
nwellnhof 4 months ago  [ - ]

It should be noted that Google Project Zero doesn't care whether a software product is maintained by multi-trillion corporations or a single volunteer. Imposing an "industry-standard" 90-day deadline on a unpaid solo developer without offering any help or compensation whatsoever is not sustainable. It forced me to step down as maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127

philipallstar 4 months ago  [ - ]

The linked conversation looked pretty civil - looks as though you decided to step down, which is entirely reasonable, but I don't see anything forcing you or imposing anything on you.

ThunderSizzle 4 months ago  [ - ]

Civil, but unreasonable. An unpaid maintainer of a free library isn't a vendor, and shouldn't be treated in any such way. A vendor is paid.

concinds 4 months ago  [ - ]

This isn't the same as bigcorps offloading their compliance costs to open-source ""vendors"". No one's obligated to do anything. The disclosure window is meant to address a tradeoff between giving the dev a chance to fix it, and minimizing users' risk until patch issuance. But if the dev can't fix it, the risk tradeoff shifts and you do have a duty to make it public for users' sake. You can't take it for granted that you're the first one and only one to have found that vulnerability.

UncleMeat 4 months ago  [ - ]

They aren't demanding anything of you. The alternative is immediate disclosure of bugs, not indefinite embargo of bugs.

philipallstar 3 months ago  [ - ]

I don't see how they were treated in that way, though?

ThunderSizzle 3 months ago  [ - ]

Put plainly, any sort of expectations as if they other person is an employee or coworker makes no sense to me.

If Google wants bugs fixed in open source software, they should also submit a PR with the fix, or provide a bounty for the fix.

The way this is done is an unveiled threat (if it was my library, I'd tell them as much. Deadlines are for vendors or employees, not for free libraries).

hnburnsy 4 months ago  [ - ]

Google is a bunch of hypocrites, there are other cases where Google asked third parties for a disclosure extension and the fixes took longer than 90 days, but here is the most recent one I noticed...

https://news.ycombinator.com/item?id=43032464

Jiro 4 months ago  [ - ]

You said "Being an unpaid volunteer, I also don't really care about external deadlines. I'll just make the issue and the fix public and people can patch libxslt themselves." But that's what they were going to do anyway if you didn't fix it--they were going to make the issue public. What's the problem?

transpute 4 months ago  [ - ]

What do you think of https://bughunters.google.com/open-source-security/patch-rew...?

naian 4 months ago  [ - ]

[flagged]