As some of you might have heard, back in 2014 Google launched Project Zero which is basically Google’s way of searching for bugs and vulnerabilities on the web and in software in hopes of plugging as many holes as possible. Recently Google revealed a rather serious bug in Windows 8.1 and it seems that Microsoft isn’t too pleased by it.
Microsoft is annoyed because they had specifically told Google to hold off on publishing their report until they had gotten around to patching the bug. However Google’s policy on Project Zero is to give companies 90 days to patch their flaws before they published their report, and Google had originally discovered the issue on the 13th of October 2014.
According to Chris Betz, Microsoft’s senior director for trustworthy computing, he wrote, “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.” He then tried to urge Google to sign up for Microsoft’s Coordinated Vulnerability Disclosure policy.
However Google security research Ben Hawkes defended the company’s 90 day policy, stating that, “disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face.” But what do you guys think? Should Google have given Microsoft more time to patch the problem?