US senator urges investigation into Google+ bug ‘coverup’

What an embarrassment. Blumenthal should leave the performative infosec policymaking to his colleague Ron Wyden.<p>It is not and never has been a norm for SAAS vendors to disclose internal vulnerabilities that have not been discovered independently by third parties. Tens of thousands are found every year by internal teams and contractors at companies around the country, many of them far more severe than the G+ bug (which would probably win a sev:low on a real assessment, less impactful than an XSS bug). You hear about none of them.<p>A coherent argument that this is as it should be: <a href="http:&#x2F;&#x2F;flaked.sockpuppet.org&#x2F;2018&#x2F;10&#x2F;09&#x2F;internal-disclosure-boring.html" rel="nofollow">http:&#x2F;&#x2F;flaked.sockpuppet.org&#x2F;2018&#x2F;10&#x2F;09&#x2F;internal-disclosure-...</a><p>You can argue that things should be different for shrink-wrap software and hardware products, where vulnerabilities have a half-life and users need to be notified to patch. I won&#x27;t disagree, but I will note that the norm of <i>not</i> disclosing internal discoveries holds there as well.

Sure. First hold Equifax accountable, then we&#x27;ll talk about Google.

So not only should companies have to publish hacks, they also have to publish when they internally find a bug?<p>Do I also need to publish if I left my keys in the door for two hours, but nobody broke in?

It&#x27;s a really shitty job by Google PR people. Who in their right mind would close product in response to a security vulnerability? It was bound to grow out of proportions.<p>Headlines like &quot;500 000 people at risk! The bug was so serious that Google shuts down their social network!&quot; just write themselves.