Slashdot Mirror
'Irresponsible' Google Refused Fortnite's Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic's Chief (bbc.com)
The leader of the firm behind the hit game Fortnite has accused Google of being "irresponsible" in the way it revealed a flaw affecting the Android version of the title. BBC, with additional input from Slashdot staff: On Friday, Google made public that hackers could hijack the game's installation software to load malware. The installer is needed because Epic Games has bypassed Google's app store to avoid giving it a cut of sales. Epic's chief executive said Google should have delayed sharing the news. "Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google's rapid public release of technical details," he said. "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
Google isn't playing nice. Don't get a cut of the profit? Well screw your security alerts.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.
When you cant win, ad hominem.
Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.
The problems is in bypassing the play store they did open themselves up some and now they want google to change, not them.
When you cant win, ad hominem.
This is well stated. And for those that think that it's vindictive on Google's part, well... you're not wrong, but it's the consequence of releasing outside the ecosystem that would automatically deploy the update to the install base.
I think a lot of people are failing to realize that the 30% cut isn't just to make Google money, but also to fund the infrastructure to host and deploy apps according to their own best practices.
Let's think about what Epic were asking for. They'd prefer users not be notified of a critical vulnerability for three months and instead just wait to see how many upgrade naturally.
Google on the other hand have a published policy that they will notify of security events after 90 days if un-patched or after a patch is widely available, exactly what happened here.
While Google does have a strong financial incentive to stop other companies from operating outside the play store, they also have an incentive for Android not to be viewed as a less secure mobile operating system. It seems to me that, if you want to encourage security patches to be applied, you would want to let users know that their existing install has a critical vulnerability. Why Epic would prefer silence can be inferred, but it's not to the benefit of their customers.
AFTER it has been patched so uses can patch? That is not how it works dude. If they announced the bug BEFORE a patch was made available then sure, but after a patch is released it is more irresponsible to NOT release the details because people wont know they need to patch, but exploiters will know there was a patch and can seek it out.
When you cant win, ad hominem.