Judge Jury and Executioner, no appeal path, and no transparency on process.
Really Google, this isn't good. Yes, a breach of your code of conduct but no, not abusive, and you appear to have taken the input and acted on it without credit. That's Intellectually dishonest.
I don't know Pierre from a bar of soap. He could be a complete asshat. Does it alter the power imbalance here?
BTW most common "self made crypto" misconfiguration is not discarding 0 byte data .... so just scanning for that you can get at least 10 000 sites in just US.
The fact that something was fixed doesn't make it a security vulnerability, the "security vulnerability" here is equivalent to a command line tool not accepting weak passwords, defenetly something worth having, but not a vulnerability.
The actual issue seems to be that some tools ask the user to provide a random seed, then accept anything non-empty, even if it’s too short or otherwise obviously not random. The reporter argues this is a critical security vulnerability, Google argues this is just a usability issue. Google subsequently added additional validation to make sure it’s also the right length.
Personally, I think usability issues can have security implications. Taken to the extreme, look at RSA: technically possible to use securely, but widely considered insecure because everybody screws it up. Modern crypto libraries are all about achieving better security by fixing footguns. This issue isn’t RSA, but I bet fully fixing this issue would make a small but tangible number of insecure users secure. I think Google should have a clear and spelled out policy re usability issues with security implications, and should give this guy at least some reward, even if it’s not the “critical vulnerability” he makes it out to be.
(standing on the gallows awaiting his execution) First time? :)
I've run into this a few times (only more so with Meta, not Google): well, they're within their rights not to pay. Purely theoretically, in my case it would be a lawsuit for violating GDPR (not hacking), but they know that there is no one to sue.
2025-07-02 16:41 UTC: Filippo implements my suggestions
I don't know if it's a coincidence that OP emailed Filippo in the 20 hours between Filippo agreeing with my suggestions and implementing my suggestions, or if OP saw my suggestions in the Sunlight issue tracker and decided to make a mountain out of a molehill. Either way - the changes were always going to happen regardless of OP.
12 comments
[ 3.9 ms ] story [ 29.2 ms ] threadReally Google, this isn't good. Yes, a breach of your code of conduct but no, not abusive, and you appear to have taken the input and acted on it without credit. That's Intellectually dishonest.
I don't know Pierre from a bar of soap. He could be a complete asshat. Does it alter the power imbalance here?
Tell HN: Google banned me for reporting CT vulns they fixed hours later - https://news.ycombinator.com/item?id=44454141 - 3 July 2025 (1 comment)
Tell HN: Google says "not vuln", fixes hours later without attribution - https://news.ycombinator.com/item?id=44456382 - 3 July 2025 (3 comments)
Also doesn't seem like a Google project?
BTW most common "self made crypto" misconfiguration is not discarding 0 byte data .... so just scanning for that you can get at least 10 000 sites in just US.
Personally, I think usability issues can have security implications. Taken to the extreme, look at RSA: technically possible to use securely, but widely considered insecure because everybody screws it up. Modern crypto libraries are all about achieving better security by fixing footguns. This issue isn’t RSA, but I bet fully fixing this issue would make a small but tangible number of insecure users secure. I think Google should have a clear and spelled out policy re usability issues with security implications, and should give this guy at least some reward, even if it’s not the “critical vulnerability” he makes it out to be.
I've run into this a few times (only more so with Meta, not Google): well, they're within their rights not to pay. Purely theoretically, in my case it would be a lawsuit for violating GDPR (not hacking), but they know that there is no one to sue.
Here's what actually happened:
2025-07-01 19:01 UTC: I suggest making some changes to Sunlight to improve usability of key generation and mitigate a potential misconfiguration risk with keys: https://github.com/FiloSottile/sunlight/issues/35#issue-3193...
2025-07-01 20:08 UTC: Filippo agrees with my suggestions: https://github.com/FiloSottile/sunlight/issues/35#issuecomme...
2025-07-02 12:20 UTC: OP emails Filippo claiming to have found a vulnerability in Sunlight
2025-07-02 13:03 UTC: Filippo replies to OP explaining why this is not a vulnerability (an assessment which I agree with entirely): https://groups.google.com/a/chromium.org/g/ct-policy/c/qboz9...
2025-07-02 16:41 UTC: Filippo implements my suggestions
I don't know if it's a coincidence that OP emailed Filippo in the 20 hours between Filippo agreeing with my suggestions and implementing my suggestions, or if OP saw my suggestions in the Sunlight issue tracker and decided to make a mountain out of a molehill. Either way - the changes were always going to happen regardless of OP.