It's funny, but I think it's written that way on purpose, not just as snark.
It's a little tricky to keep track of what happened here. There are 4 bugs in this post, and (I think) 2 different timelines: the UAF timeline for the first bug, and the TOCTTOU timeline for the 3 subsequent bugs. What's important to understand about the three TOCTTOU bugs is that there's a "right" fix for that bug, and a series of wrong fixes that delay the inevitable. Ian Beer and GPZ probably go into this whole process knowing what the right fix is, and with predictions on how they'll defeat any of the wrong fixes.
So it looks like GPZ reported a bug and then found flaws in the mitigations, but really all three of the flaws they found were known, at least conceptually, when GPZ reported the TOCTTOU race to Apple.
In the TOCTTOU timeline, Apple got an extension. Subtextually, it sounds like Tim Cook called Sundar Pichai. GPZ does not want to give extensions. They have a 90 day disclosure timeline, it's very well known, and probably the healthiest disclosure process in the industry. It's problematic for GPZ to give extensions because next time Tavis Ormandy finds a vulnerability in Norton Antivirus, Symantec is going to try to play chicken, and GPZ doesn't want to be at day 89 having to decide whether to drop zero-day versus being held hostage by a patch schedule.
But if a bug escalates all the way to Tim Cook, GPZ is probably pretty OK just with the degree to which that raises the profile of their bug --- it's hard to look at that and think Apple isn't taking your bug extremely seriously. So they'll trade the raised profile for the 5 week extension.
So they include a bunch of fuck-yous to Apple in the disclosure timeline, messaging to other vendors that GPZ is not going to budge even if your dumb original fix turns out to have a flaw that Ian Beer will notice and exploit. If you want the extension, you'd better have a Tim Cook.
Or maybe they're just having fun. Either way, a good read!
It's a little tricky to keep track of what happened here. There are 4 bugs in this post, and (I think) 2 different timelines: the UAF timeline for the first bug, and the TOCTTOU timeline for the 3 subsequent bugs. What's important to understand about the three TOCTTOU bugs is that there's a "right" fix for that bug, and a series of wrong fixes that delay the inevitable. Ian Beer and GPZ probably go into this whole process knowing what the right fix is, and with predictions on how they'll defeat any of the wrong fixes.
So it looks like GPZ reported a bug and then found flaws in the mitigations, but really all three of the flaws they found were known, at least conceptually, when GPZ reported the TOCTTOU race to Apple.
In the TOCTTOU timeline, Apple got an extension. Subtextually, it sounds like Tim Cook called Sundar Pichai. GPZ does not want to give extensions. They have a 90 day disclosure timeline, it's very well known, and probably the healthiest disclosure process in the industry. It's problematic for GPZ to give extensions because next time Tavis Ormandy finds a vulnerability in Norton Antivirus, Symantec is going to try to play chicken, and GPZ doesn't want to be at day 89 having to decide whether to drop zero-day versus being held hostage by a patch schedule.
But if a bug escalates all the way to Tim Cook, GPZ is probably pretty OK just with the degree to which that raises the profile of their bug --- it's hard to look at that and think Apple isn't taking your bug extremely seriously. So they'll trade the raised profile for the 5 week extension.
So they include a bunch of fuck-yous to Apple in the disclosure timeline, messaging to other vendors that GPZ is not going to budge even if your dumb original fix turns out to have a flaw that Ian Beer will notice and exploit. If you want the extension, you'd better have a Tim Cook.
Or maybe they're just having fun. Either way, a good read!