Well, this is embarrassing:

Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference.

Google espouses 60 days to fix exploitable bugs and going public one week after private notification. According to Bluebox they told Google about this via bug 8219321 in February 2013. That’s a little bit more than 60 days ago. Seeing as it’s now July, I think (and I’m not very good at math, so bear with me here) that’s at least twice as many. It’s especially more than 7 days. I’m not sure how Google are following their own disclosure policy.

I suspect the people motivated to publish Google’s disclosure policy were all or mostly on the web side. It is a much different problem when you are dealing with software updates, especially on a platform that often you cannot update. I have yet to find a ROM past Android 4.0 (current is 4.2) that I can get running on my test phone. HTC certainly isn’t providing it, which means many millions of phones will be vulnerable… forever.

There was little doubt that publishing that policy wouldn’t eventually haunt them.