In a rather unusual email, Google's Android security team approached
the security community earlier this week via the full disclosure mailing list introducing themselves, asking for
moral support and responsible disclosure. Amichai and I talked recently about responsible disclosure (here, here and here) The Android security team at Google took no chances, promising credit only to those that will play by their rules. If you did not had a chance to read Google's mail, you should. It's fun reading, here are my comments...
Our vulnerability bulletins will credit responsible reporters of any flaws.
Here's a scrap of Google's email alongside my interpretation in bold.
As you may expect, building and maintaining a secure mobile platform is a difficult task. The Android platform team has put a great deal of work into trying to design a platform that balances our goal of open development and user choice with the unique challenges of securing a consumer-focused mobile system. Yes, it is tough and we expect nothing else than a secure, yet usable, full featuredl, fun, cheap and good looking device.
While we have found and fixed many of our own bugs (good) as well as flaws in other open source projects, (very good) we realize that the discovery of additional security issues in a system this large and complex is inevitable. (sounds like someone is preparing an excuse). That is why we would like to introduce ourselves today and let the security research community know how they can reach out and work with us. Great. Good to know..
Leave a comment