Microsoft today announced a new security policy for apps served through the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace: 180 days to patch. Third-party developers are thus required to submit an updated app within six months of being notified of a ‘Critical’ or ‘Important’ security issue.
While this is certainly an admirable attempt for Microsoft to crack down on the security of apps that it manages, 180 days is frankly way too much time. Nowadays, a security hole can be exploited in a matter of hours, and leaving one or more open for longer than a few days is simply reckless.
Of course, the 180 days limitation is only for issues that are not currently being exploited in the wild. In cases where the security hole is being exploited, Microsoft says it will “work with the developer to have an update available as soon as possible and may remove the app from the store earlier.”
The company continues:
We also realize there may be rare cases where a developer needs more than 180 days. Should that occur – it hasn’t so far – we’ll work with the developer to get an updated app replacement as soon as possible.
It may not be Microsoft’s responsibility to patch security issues in third-party apps, but the company can still protect its users. We would rather see the company give developers 30 days to patch their app, and maybe even less if the issue is severe.
Anything more is simply unacceptable. We’re talking about security issues here that need to be addressed immediately, not new features that are completely optional.
“We’re doing this to help protect customers and to ensure the apps available in our stores are as secure as possible,” Microsoft says. We don’t doubt that, but we think the company can do better. Nevertheless, this is certainly a start, and we can’t fault Microsoft for that.
Top Image Credit: Timothy A. Clary/Getty Images