The GrapheneOS project is developing an alternative free Android firmware aimed at enhancing security and privacy, announcedGoogle has made changes to its policy for publishing vulnerability patches for the Android platform and disclosure of information about vulnerabilities. The October Android Vulnerability Report published is empty.
Google will now provide security patches natively for Android exclusively to OEMs through closed channels with a non-disclosure agreement obliging them not to disclose the source code using the provided patches for a period of 3 months from the date of receipt. During this time, it is possible to distribute only binary assemblies with the inclusion of a fix.
The code itself continues to be under the open Apache license, but the right to distribute is subject to a temporary restriction through a non-disclosure agreement. The motive for this change in company policy is the “desire for increased security”, noted as an attempt to implement the principle “Security through ambiguity“.
Despite the difficulties this creates for open third-party firmware, the GrapheneOS project has found a way out of the situation by finding a partner among OEM suppliers who provides embargoed patches for the project before their official disclosure.
It is noted that from now on GrapheneOS will provide two different channels with releases – with fully reproducible assemblies at the time of publication based on AOSP, but without closed security patches, and with assemblies with included patches, the reproducible source code of which will be published only after the embargo has expired.