Is the claim that PZ is some sort of PR attack on other companies?
Because as someone who is highly skeptical of Google's motives a lot of the time, that just seems like a batty take for anyone who is familiar with their work.
That’s been the claim for as long as they existed, and one that Microsoft employees like to respond with in the media (and behind closed doors). It’s not true though. I have talked to some of the early PZ folks and they are unwavering in their devotion to sincerely held beliefs that they are making the internet safer. They feel strongly that their hard disclosure deadline is a critical component of this and they stick to those principles, even when it is unfavorable to Google.
The only reason that deadline exists is because many vendors have had a long history of taking advantage of researchers who agree to embargo details of their work while the vendors work on a fix. Bugs were going unfixed for years.
It has been my observation that this strategy only partially worked. The main thing that happened is that vendors now won’t sit on Google reported vulns, because they know Google are not bluffing, but they’re still generally happy to take their sweet time if the report comes from someone else. I know of some companies who put PZ bugs in a special queue to fast track them.
I think it has done a little bit in terms of setting norms for shorter disclosure timelines though.
Because as someone who is highly skeptical of Google's motives a lot of the time, that just seems like a batty take for anyone who is familiar with their work.