For anyone unfamiliar with Project Zero, it's a team at Google dedicated to finding security vulnerabilities across the internet (and in software in general, it seems)
Would be good to also highlight the other finders of some of these issues, but this view shows that Google Project Zero is a well executed PR machine taking away the focus of other security researchers. The title of this thread is similarly misleading.
> This result is the product of a long term collaboration between the Cryptology Group at Centrum Wiskunde & Informatica (CWI) - the national research institute for mathematics and computer science in the Netherlands - and the Google Research Security, Privacy and Anti-abuse Group. [...]
Title could still be better than it is, I think. Original title is much better. Things like attribution can be done fine in the comments if that's not in the title.
Furthermore, Project Zero was involved in only one of the CVEs anyway then. Why not put the other credit in the title too? CVE-2018-4187: Zhiyang Zeng (@Wester) of Tencent Security Platform Department, Roman Mueller (@faker_)
Exactly what I thought. Project Zero allows Google to segway away from their Android ecosystem mess they left beyind and (even relatively benign findings at times - there was a Defense in Depth issue in Windows recently I remember that got an article) get a lot of media attention, and other researches are ignored. Shows that Google's PR works really well. I first noticed that during Meltdown/Spectre where most of the heavy lifting was done by university students somewhere in Europe, but they nowhere got as much attention as Google. Sad.
17 comments
[ 3.5 ms ] story [ 45.9 ms ] threadhttps://security.googleblog.com/2014/07/announcing-project-z...
- SHAttered(?)
- Row hammer
- Cloudbleed
- Lastpass exploit
- Meltdown & Spectre
> This result is the product of a long term collaboration between the Cryptology Group at Centrum Wiskunde & Informatica (CWI) - the national research institute for mathematics and computer science in the Netherlands - and the Google Research Security, Privacy and Anti-abuse Group. [...]
Furthermore, Project Zero was involved in only one of the CVEs anyway then. Why not put the other credit in the title too? CVE-2018-4187: Zhiyang Zeng (@Wester) of Tencent Security Platform Department, Roman Mueller (@faker_)
People need some kind of pointer about _why_ they might want to read a security update statement.
Granted the original title should have included Tencent's name too.