Epic Games has accused Google of trying to score ‘cheap PR points’ with its disclosure of the bug before a patch was widely available
Epic Games has accused Google of being “irresponsible” in its disclosure of a major security vulnerability affecting the company’s popular Fortnite game for Android before a patch had been widely distributed.
Google said it was following its standard procedures and acted in the interest of users’ security.
The problem affected Epic’s installer for Fortnite on Android, which the company began releasing to Android users earlier this month.
The installer was released outside of Google’s Play Store, a decision that was criticised on security grounds at the time. Google takes a 30 percent cut of in-game purchase revenues for titles released through the Play Store.
On 15 August, the search giant informed Epic that it had discovered a way that malicious apps running on an Android device could trick the Fortnite installer into downloading and installing malicious code that could take over a user’s device. Epic released a patch to users two days later.
The policy of Google’s controversial bug-hunting unit is to disclose flaws to the public 90 days after they’ve been reported, whether a patch is available or not, or a week after a patch has been released.
But in this case, Epic asked Google to wait the full 90 days before making information about the problem publicly available.
Google declined, and made the bug public on Friday. On the company’s bug tracking site, it wrote that since the seven days had elapsed it would “proceed to unrestrict this issue in line with Google’s standard disclosure practices”.
Epic chief executive Tim Sweeney said the comapany “genuinely appreciated” Google’s effort in finding the issue.
But he said Google’s quick disclosure went too far.
“It was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable,” Sweeney said in a statement.
He said the 90-day delay was “typical”, according to Sweeney, who argued that Google’s decision not to wait was a way of getting back at Epic for bypassing the Play Store.
“A company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play,” Sweeney said.
In a tweet, he said Google created “an unnecessary risk for Android users in order to score cheap PR points”.
Google said in a statement that its actions were in the interest of protecting users.
“User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer,” Google stated. “We immediately notified Epic Games and they fixed the issue.”
Google has been criticised by other companies, including Microsoft, for publicising vulnerabilities before patches were widely available.
It has said its aggressive disclosure timeline is designed to force companies to produce patches more quickly. But in 2015, Google responded to criticism by offering a two-week grace period for companies that told it that a patch was being worked on.
Fortnite was also criticised for bypassing Google’s Play Store, in part because the absence of Fortnite there opened the door for scam installers to be placed on the official store to trick users.