It is indeed there and if you disable exploit protection on these attack vectors for each application that requires disabling DCL restrictions via memory and storage individually the application will work.
The metaphor is especially appealing to me considering one of my passions is MMA.
Essentially we are stuck in a paradigm of not maximizing individual privacy as a priority, at the cost of someone else’s corporate progress and market dominance setup.
If just one out of every three cents from Corporations went to building values and models like the Graphene OS, it would be…
If at least every third bullet and the resources for its production, used to kill the most beautiful thing on the planet - life, were used not for that but for the good, it would be…
So far I have noticed a compromise, been able to run my apps disabling only memory or storage DCL 1 of 2, each app has a different option. Not running transactions, etc.
Only opening, checking accounts, menu surfing, etc.
Banking applications are a separate and very sensitive topic to talk about, even Graphene OS notes that some features which are present as exploit protection correlate with banking tools to monitor unauthorized access, so they should be considered capricious, correct me if I’m wrong, because my experience with banking applications on a personal device protected by Graphene OS
is not very long.
What I am concerned about at the moment and what I would like to consult with you all about is what I should do next, and whether my previous actions in creating this topic (and potentially the actions of anyone who further reports such bugs)
violate Proton’s Vulnerability disclosure policy
specific section
Proton is committed to the timely correction of vulnerabilities. We will work diligently to resolve any issues that put our community at risk. We ask all researchers to bear with us as we examine the reports you submit to us, as the public disclosure of a vulnerability in the absence of a readily-available corrective action likely increases rather than decreases our community’s security risk.
Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 120 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, you must coordinate in advance with the Proton Security team.
We may share vulnerability reports with affected vendors. We will not share the names or contact data of security researchers unless given explicit permission.
Questions?
Questions regarding this policy may be sent to security@proton.me. Proton encourages security researchers to contact us for clarification on any element of this policy.
Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.
Because I only informed them today and I just received a response in a polite and professional manner:
Thank you for the nice words and for reaching out to Proton’s security team. We appreciate the time you took to inform us of your findings.
We will forward your report to the appropriate team, and will get back to you. Meanwhile we ask you to keep your findings confidential in accordance with Proton AG’s Vulnerability Disclosure Policy, located at Proton security response center | Proton.
Hi, thank you for your question. The answer is quite simple and reasonable. Both forums are a collection of people who are professionals in their field and have extensive experience in the subject matter among other things. This is a topic that interests me and is a priority for me because I want to benefit the community and try to be an example. One of the main factors in such cases is speed of response and maximizing the involvement of knowledgeable people in the field. The threads on this forum and on the Graphene forum present the last issue identical to this one, but relate to different crash cases.
If the website doesn’t load without JIT on a browser that has it disabled, then it doesn’t work because of “non-standard restrictions," but that doesn’t matter at all because I would expect the website to work without it, especially if that website or service is mentioning security as one of their main selling points.
I tend to agree. The App is expecting to have this permission to do an action in an Android environment (it could be exploited or not, it is another question), but it can´t. So it crashes.
You are free to open tickets for any issues or crashes you may have. I am just pointing out that vulnerability disclosure isn’t the correct channel, It is meant for cybersecurity professionals that can provide detailed reports of an exploit that they found with steps to reproduce it.
That’s a useful point, worrying security departments about issues that shouldn’t divert their attention is less productive.
Of course, since I’m not a coder (late comer to computers) but just an athlete who likes to read, lol. I’ll listen to you and add a poll for activeness.
Do you think it would be more appropriate to open tickets instead of sending emails through this channel?
By the way, your argument is supported by the fact that the email itself said that this would be passed on to the appropriate team.
We will forward your report to the appropriate team, and will get back to you.