Google Chrome's security engineers reject the claim that French vulnerability research outfit VUPEN Security broke out of the browser's reputed sandbox.

Google's experts claim that this wasn't an attack against the Chrome sandbox itself, but against the Flash Player plug-in bundled with the browser.

"As usual, security journalists don't bother to fact check. VUPEN misunderstood how sandboxing worked in chrome, and only had a flash bug," wrote Google information security engineer Tavis Ormandy on Twitter.

Mr. Ormandy's colleagues, Chris Evans and Justin Schuh, both Google security engineers, agree in this assessment, but VUPEN's founder and head of research, Chaouki Bekrar, doesn't.

"Nobody knows how we bypassed Google Chrome’s sandbox except us and our customers, and any claim is a pure speculation," Mr. Bekrar said in a statement.

VUPEN has already announced that, according to the company's policy, they will not disclose details about the exploited vulnerabilities to Google. Instead it will share the intelligence with its government customers.

This has been received with a lot of criticism from users, but the truth is that a lot of 0-day exploits are being sold in a legit manner.

Mr. Bekrar points out that Microsoft is also sharing information about security vulnerabilities with government agencies in advance of patching them, and sometimes these vulnerabilities are discovered by third-parties.

The whole controversy seems to surround the Flash plug-in implementation in Chrome. Google has been working with Adobe to sandbox the bundled Flash plug-in, like the native PDF one, since last year.

This was announced as a feature in Chrome 10 stable, whose release notes read "sandboxed Adobe Flash on Windows," however, it seems the Flash sandbox and the Chrome sandbox are two separate things and breaking one doesn't mean breaking the other.