Google s Tavis Ormandy published a vulnerability in the hcp protocol handler. It allows the attacker to run arbitrary commands as the user. In practice it created a lot of alerts and warnings for me but the XP install I was using is somewhat locked down. Later his reports says it works around the alerts (I couldn t reproduce that, but that was his intention). However, there are some odd things about this that really struck me the wrong way. Google says it adheres to responsible disclosure, but at the same time they give Microsoft 5 days to fix their 0day that Google’s researchers themselves created!
Source: https://threatpost.com/does-google-have-double-standard-full-disclosure-061010/74091/

