On October 13, 2014, Google notified Microsoft that they had found a security bug in their software. Google’s Project Zero gives vendors 90 days before publicly disclosing the bug. \u00a0Microsoft fixed the bug, and asked Google for a bit more time so they could release the fix on their customary Patch Tuesday. \u00a0Google ignored Microsoft’s request, and released details of the vulnerability\u00a0on Sunday, January 11, 2015 — a mere two days before Patch Tuesday.<\/p>\n
Google acted poorly.<\/p>\n
By pedantically following their 90 day policy, Google made sure that that the security bug was publicly known before a fix that they knew was coming just a few days later. \u00a0This doesn’t benefit anyone. \u00a0And by publishing the vulnerability on a Sunday, they made sure that Microsoft could not respond to it as effectively as on a work day. \u00a0Again, how does this benefit the community at large?<\/p>\n
Behind Google’s actions is the raging debate between full disclosure<\/em> and responsible disclosure<\/em>. \u00a0Full disclosure involves publishing vulnerabilities as soon as discovered, or more commonly after some time has passed and the vendor has not fixed them. \u00a0At first glance, full disclosure may seem irresponsible. \u00a0Why inform the bad guys when there is no fix? \u00a0But full disclosure does have an important use. \u00a0Often, a security researcher notifies the company of a bug, and\u00a0the company does not do anything. \u00a0But when the bug is published, companies typically take it much more seriously and fix it. \u00a0So full disclosure, used judiciously, does make software more secure.<\/p>\n Responsible disclosure involves notifying the company of the bug, and keeping it under wraps until the company fixes it. \u00a0This\u00a0can make it easier for the company to respond and schedule the fix. \u00a0The downside is that if the company is slow, then a bad guy may discover it on his own and exploit it while customers have no idea about the vulnerability.<\/p>\n Google leans toward full disclosure, but after a 90 day period. \u00a0Microsoft leans toward responsible disclosure.<\/p>\n That said, Google should have waited two more days before disclosing the bug. \u00a0In this case, their disclosure had little value and did more harm than good. \u00a0It did not force Microsoft into fixing the bug. \u00a0Microsoft had already done that. \u00a0But it did give the hackers a two day window of opportunity.<\/p>\n Google needs to amend their policy. \u00a0They should do two things:<\/p>\n 1.) When a vendor notifies them that a fix is coming in a short period after the 90 day period, they should wait. \u00a0They should also talk with the vendor so both sides know what the other intends — even if they disagree.<\/p>\n 2.) Google should never publish vulnerabilities on non-work days unless there is a compelling (and not pedantic) reason for doing so. \u00a0This places the vendor in a better situation to respond to the disclosure, and that benefits everyone.<\/p>\n <\/p>\n