Slashdot Mirror
'Irresponsible' Google Refused Fortnite's Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic's Chief (bbc.com)
The leader of the firm behind the hit game Fortnite has accused Google of being "irresponsible" in the way it revealed a flaw affecting the Android version of the title. BBC, with additional input from Slashdot staff: On Friday, Google made public that hackers could hijack the game's installation software to load malware. The installer is needed because Epic Games has bypassed Google's app store to avoid giving it a cut of sales. Epic's chief executive said Google should have delayed sharing the news. "Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google's rapid public release of technical details," he said. "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.
When you cant win, ad hominem.
Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.
The problems is in bypassing the play store they did open themselves up some and now they want google to change, not them.
When you cant win, ad hominem.
I'd at least like to hear Google's side of this first.
You heard google already. They told what they had to when they announced the security issue. Only then Epic has reacted. In this instance, Google is outright greedy and wants to kill anybody who wants to distribute software outside of Google Play store. So much for the open Android platform. Manufacturers cannot fork Android otherwise none of the phones can be connected to Play Store. They must install dozens of privacy invading Google apps in default settings otherwise no Play Store. Android are simply Google peeking devices. At least with FB, they get what you explicitly provide. Apple virtually does not use anything you provide and collects far little data. Google implicitly collects all data that you may not be aware of and sells them to the highest bidders even if they know that purchaser is using it illegally (one of the largest corporate fines ever was paid by Google to settle illegal drug ads).
Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?
The fix was already made available. As per Google's guidelines, they either announce the issue 90 days after reporting it, or a week after the fix is made broadly available. From the article, the fix was made available on Aug 17, and Google announced the flaw Aug 24 (a week after it was made available).
Now, whether a week is enough time or not is another question... Epic wanted the full 90 days, Google said nope. How much time would be sufficient? Will everyone who downloaded it update, without knowing there's a major security flaw in their installed version? From the article, the installer is only updated when it or the game is run. So if a user downloads it and tries it once, then doesn't look at it again and also doesn't uninstall it, they are now vulnerable.