Chill Out, Google Project Zero!
On October 13, 2014, Google notified Microsoft that they had found a security bug in their software. Google’s Project Zero gives vendors 90 days before publicly disclosing the bug. Microsoft fixed the bug, and asked Google for a bit more time so they could release the fix on their customary Patch Tuesday. Google ignored Microsoft’s request, and released details of the vulnerability on Sunday, January 11, 2015 — a mere two days before Patch Tuesday.
Google acted poorly.
By pedantically following their 90 day policy, Google made sure that that the security bug was publicly known before a fix that they knew was coming just a few days later. This doesn’t benefit anyone. And by publishing the vulnerability on a Sunday, they made sure that Microsoft could not respond to it as effectively as on a work day. Again, how does this benefit the community at large?
Behind Google’s actions is the raging debate between full disclosure and responsible disclosure. Full disclosure involves publishing vulnerabilities as soon as discovered, or more commonly after some time has passed and the vendor has not fixed them. At first glance, full disclosure may seem irresponsible. Why inform the bad guys when there is no fix? But full disclosure does have an important use. Often, a security researcher notifies the company of a bug, and the company does not do anything. But when the bug is published, companies typically take it much more seriously and fix it. So full disclosure, used judiciously, does make software more secure.
Responsible disclosure involves notifying the company of the bug, and keeping it under wraps until the company fixes it. This can make it easier for the company to respond and schedule the fix. The downside is that if the company is slow, then a bad guy may discover it on his own and exploit it while customers have no idea about the vulnerability.
Google leans toward full disclosure, but after a 90 day period. Microsoft leans toward responsible disclosure.
That said, Google should have waited two more days before disclosing the bug. In this case, their disclosure had little value and did more harm than good. It did not force Microsoft into fixing the bug. Microsoft had already done that. But it did give the hackers a two day window of opportunity.
Google needs to amend their policy. They should do two things:
1.) When a vendor notifies them that a fix is coming in a short period after the 90 day period, they should wait. They should also talk with the vendor so both sides know what the other intends — even if they disagree.
2.) Google should never publish vulnerabilities on non-work days unless there is a compelling (and not pedantic) reason for doing so. This places the vendor in a better situation to respond to the disclosure, and that benefits everyone.
2/17/2015 Update. Google has announced that they will now disclose bugs on business days. If a company contacts Google and asks for a two week extension for the patch, Google will now grant that.