Google Called ‘Irresponsible’ For Quick Disclosure Of Fortnite Flaw

Epic Games has accused Google of being “irresponsible” in its disclosure of a major security vulnerability affecting the company’s popular Fortnite game for Android before a patch had been widely distributed.

Google said it was following its standard procedures and acted in the interest of users’ security.

The problem affected Epic’s installer for Fortnite on Android, which the company began releasing to Android users earlier this month.

The installer was released outside of Google’s Play Store, a decision that was criticised on security grounds at the time. Google takes a 30 percent cut of in-game purchase revenues for titles released through the Play Store.

Credit: Epic Games

Security flaw

On 15 August, the search giant informed Epic that it had discovered a way that malicious apps running on an Android device could trick the Fortnite installer into downloading and installing malicious code that could take over a user’s device. Epic released a patch to users two days later.

The policy of Google’s controversial bug-hunting unit is to disclose flaws to the public 90 days after they’ve been reported, whether a patch is available or not, or a week after a patch has been released.

But in this case, Epic asked Google to wait the full 90 days before making information about the problem publicly available.

Google declined, and made the bug public on Friday. On the company’s bug tracking site, it wrote that since the seven days had elapsed it would “proceed to unrestrict this issue in line with Google’s standard disclosure practices”.

Epic chief executive Tim Sweeney said the comapany “genuinely appreciated” Google’s effort in finding the issue.

‘Irresponsible’

But he said Google’s quick disclosure went too far.

“It was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable,” Sweeney said in a statement.

He said the 90-day delay was “typical”, according to Sweeney, who argued that Google’s decision not to wait was a way of getting back at Epic for bypassing the Play Store.

“A company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play,” Sweeney said.

In a tweet, he said Google created “an unnecessary risk for Android users in order to score cheap PR points”.

Google said in a statement that its actions were in the interest of protecting users.

“User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer,” Google stated. “We immediately notified Epic Games and they fixed the issue.”

Disclosure controversy

Google has been criticised by other companies, including Microsoft, for publicising vulnerabilities before patches were widely available.

It has said its aggressive disclosure timeline is designed to force companies to produce patches more quickly. But in 2015, Google responded to criticism by offering a two-week grace period for companies that told it that a patch was being worked on.

Fortnite was also criticised for bypassing Google’s Play Store, in part because the absence of Fortnite there opened the door for scam installers to be placed on the official store to trick users.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago