Support Nathan CVE-first prioritization over the Google minimal-kernel delivery; own the customer comms

July 9, 2026 at 2:36 AMstrategymedium

Situation

Nathan flagged that in-flight critical local-privilege-escalation CVEs collided with the committed 6.18 minimal-kernel delivery to Google and called for CVE remediation to come first. Peter backed that call rather than making it: agreed to a bounded slip (no more than a week, not three), was comfortable asking the team to work a weekend to verify already-built patches, and took personal ownership of communicating the slip to Google - framed as value-add (surface only the CVEs Google benefits from), not an apology. Peter wrote and sent the explanatory email to Tissa and the Google team the same day.

Reasoning

Peter-confirmed framing: the prioritization call belonged to Nathan as Linux lead; Peter role was to support it and protect the customer relationship. Shipping a release with known zero-days is unacceptable, and a bounded, value-framed heads-up to a customer at the signing table protects the relationship better than silence or a defensive tradeoff story. Peter deferred the deal-commitment timing to Bjorn and Kelly since Google has not signed yet.

Additional Context

Google is looking to sign this week; the collision surfaced 3 days from the initial expected kernel date. Patches for the primary CVEs were already built and under verification.

Observed Evidence

Peter: I would give the same answer. The CVEs need to come first. / it cannot be a 3 wk slip. / This is where I would comfortably ask someone to work a weekend. / (we should only be telling google about ones they benefit from) / I will get him an email outlining what we are doing after 5pm pst today. Email to Tissa confirmed sent same day.

Matching Patterns

40%
Protect Engineering Capacity(security-first prioritization, same category (strategy))
30%
Executive Sponsorship for Strategic Partnerships(strategic customer (Google), same category (strategy))

Confidence Breakdown

34/35
Evidence
15/30
Pattern
19/20
Source
12/15
Corroboration

Reasoning Depth Analysis

Org Signal:Reinforces the standing CVE-first doctrine: security gates release work, and Peter backs his Linux lead when that call is made.
Who Affected:Google (deal timing), Nathan and Justin teams (weekend verification work), Bjorn and Kelly (deal owners - given the commitment timing).
Precedent:How CIQ communicates slips to strategic customers: proactive, value-framed, selectively surfacing only the CVEs relevant to that customer.
Consequences:Real - Peter authorized weekend framing and personally wrote and sent the customer email.
Timing:Forced now by a 3-days-to-deadline collision with incoming critical CVEs while Google is at the signing table.

Related Context

💬
#google-partnership-governance

slack

I would give the same answer. The CVEs need to come first, there is zero point in doing release work that has known zero-days in them. This cannot slip 22 days when we are 3 days from the initial expected date. This is where I would comfortably ask someone to work a weekend. We should only be telling google about ones they benefit from.

📧
GDC minimal kernel delivery and 0-day CVEs (to Tissa et al.)

email

We have had to re-prioritize focus on some 0-day CVEs and will need to slip our kernel delivery date by no more than a week. Local privilege escalations; treating as critical. Delivery no later than the 17th.

Outcome

No outcome recorded yet.

Decision ID: fd9a0d56-68f3-4a5e-a0d7-98435bc4cc51