This just means we won't submit vulnerability reports or upstream fixes. We've ...

npub1hxx…g75y

2025-03-26 22:45:27

in reply to nevent1q…kmmu

This just means we won't submit vulnerability reports or upstream fixes.

We've reported many serious vulnerabilities in Android upstream and gotten them fixed, but we gradually reduced how many of the vulnerabilities we report to them after our security partner access was revoked in the past.

There are a growing number of serious Android vulnerabilities currently only fixed in GrapheneOS because of them revoking our security partner access. They're hurting themselves more than they're hurting us with their approach. We can get partner access via an OEM.

We successfully helped them block Magnet Forensics (Graykey) and MSAB (XRY Pro) from doing AFU exploits on Pixels in 2024 when they shipped a feature we proposed in January 2024 in April 2024. We've helped get a lot of other vulnerabilities closed since we started in 2024 along with some major privacy and security improvements landed. Contributing to AOSP has been a poor experience so them breaking that is fine. We'll focus 100% on defending our users, not Android users.

Author Public Key

npub1hxx76n82ags8jrduk0p3gqrfyqyaxnrlnynu9p5rt2vmwjq6ts3q4sg75y

Seen on

wss://nostr.mom wss://relay.nostr.band wss://relay.primal.net

Show more details

Published at

2025-03-26 22:45:27

Kind type

1 Short Text Note

Event JSON

{ "id": "50b4d81ff068313672429ed27d1e376c3a7c641cefaff5b8461f6a482d07b37a", "pubkey": "b98ded4ceaea20790dbcb3c31400692009d34c7f9927c286835a99b7481a5c22", "created_at": 1743029127, "kind": 1, "tags": [ [ "e", "f1f18b4102bd367e9f7cd3d2342202005a66075365175c6d3d8bc5ba11300d26", "", "root" ], [ "e", "7c2f3268148acd7d2a104a2f2e360e15b5a2ed74612c230f6b87ecba211498ee" ], [ "e", "c2a43d2a679816f81a37fe3b6bce268bdf356d9fca0bbd8b2ddd6c4a5d48f1ba", "", "reply" ], [ "p", "c054332e25ef1ca0feebcd580622613bed81fec31e41f52f27a644c993cd67ae" ], [ "p", "b98ded4ceaea20790dbcb3c31400692009d34c7f9927c286835a99b7481a5c22" ], [ "p", "dcdc09a16b128c60ace29c2d4d521fa80bb62db91e69b586bf8e94a467f1cd5f" ] ], "content": "This just means we won't submit vulnerability reports or upstream fixes.\n\nWe've reported many serious vulnerabilities in Android upstream and gotten them fixed, but we gradually reduced how many of the vulnerabilities we report to them after our security partner access was revoked in the past.\n\nThere are a growing number of serious Android vulnerabilities currently only fixed in GrapheneOS because of them revoking our security partner access. They're hurting themselves more than they're hurting us with their approach. We can get partner access via an OEM.\n\nWe successfully helped them block Magnet Forensics (Graykey) and MSAB (XRY Pro) from doing AFU exploits on Pixels in 2024 when they shipped a feature we proposed in January 2024 in April 2024. We've helped get a lot of other vulnerabilities closed since we started in 2024 along with some major privacy and security improvements landed. Contributing to AOSP has been a poor experience so them breaking that is fine. We'll focus 100% on defending our users, not Android users.", "sig": "eddd75a67f842294a3a2a85db477d84cd288b288520e564b8c58bbedf05312ba79bf28d0d858df69128b6880f0f5acf55068d1e95ea62cd6a2c6df9b3640f19d" }