Microsoft has strongly criticised Google for disclosing a serious bug in Windows 8.1, two days before it was due to issue a fix.
Google revealed the security flaw this weekend. It did so because the rules of Project Zero, its security research project, say it should make bugs public 90 days after it reports them to the company affected. Microsoft was notified about the issue in question on October 13th 2014.
Microsoft is annoyed because it had asked Google to hold off publishing details of the bug before it pushed a fixed on one of its regular Patch Tuesdays this week.
Chris Betz, Microsoft’s senior director for trustworthy computing, wrote that Google’s move “feels less like principles and more like a ‘gotcha’, with customers the one who may suffer as a result.”
He continues: “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.” Microsoft has called for Google to sign up to its Coordinated Vulnerability Disclosure policy.
Google security researcher Ben Hawkes defended its 90-day disclosure policy after a previous Windows security flaw was revealed. He said that “disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face.”
It’s clear that Microsoft doesn’t agree. You can expect to see many more of these spats in the future.
➤ A Call for Better Coordinated Vulnerability Disclosure [Microsoft Security Response Center]