Stopping a GoS Dennis Nedry

K8y

People pay big bucks for a vulnerability tip. What's stopping a bad GoS employee tipping off vulnerabilities to Pegasus type companies like in Jurassic Park?

Johnnyloans

K8y

Happens all the time but the tipper could be anyone in the world. The project is open source so anyone can check for vulnerabilities. The situation of: a gos employee inserts a vulnerability, hopefully people learned from xz. (A second person looks over pull requests like they should instead of hitting accept in 2 seconds.)

There are bug bounties where people get paid to tell "the good guys" or they could go to a black hat company and get paid there.

I guess GOS would need to have an appetizing bug bounty program.
But, it might never be enough since Pegasus could pay 1 person 1 million for 1 vulnerability.

Gos has many layers of security to get through. It's like: ya there might be a weak spot in the wall, but a security camera is pointed at it and theres a 2nd & 3rd wall to get past.

akc3n

K8y Common question, answered in detail here: https://grapheneos.org/faq#audit

Johnnyloans I guess GOS would need to have an appetizing bug bounty program.

Re: "bug bounty", see https://discuss.grapheneos.org/d/13298-bug-bounty-program/5 and https://discuss.grapheneos.org/d/13298-bug-bounty-program/7

NOTE: Might have some more links to edit and append to this comment at a later time if I recall where related discussions on this took place over the years.

Johnnyloans

Johnnyloans Happens all the time

Not all the time. I mean it isn't a rare, doomsday event

dhhdjbd

a GoS vulnerablity is most likely either just an android or pixel firmware vulnerbility, then a unique Graphene one

horde

I think OP meant that someone reports a vulnerability to GrapheneOS's security email address. But, I think only limited people have access to this address and probably main person managing this address is Daniel Micay. If there are other people from GrapheneOS team that are trusted have also access to this email (on security team), then it would be disgusting thing to as people lives can be put in danger and it can be easily found that someone is exploiting a 0day in wild after the reporter sent the email (unless 0day was already being exploited in the wild).

Also by using GrapheneOS's you are already trusting people running the project anyway.