I don’t understand why you wouldn’t just follow normal responsible disclosure practices here, e.g. just disclose this to Google and then leave it to them.
Google’s red team already knows. They have known about the problem for at least six months and abused the issue successfully in engagements to get very significant access. They’re just not really sure what to do because the only solutions they can come up with involve massively disruptive changes.
I don’t understand why you wouldn’t just follow normal responsible disclosure practices here, e.g. just disclose this to Google and then leave it to them.
Google’s red team already knows. They have known about the problem for at least six months and abused the issue successfully in engagements to get very significant access. They’re just not really sure what to do because the only solutions they can come up with involve massively disruptive changes.