Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Google relaxes strict bug disclosure rules after Microsoft grievances

Gregg Keizer | Feb. 16, 2015
After dust-up between the companies over bug revelations, Google offers 14-day grace period before going public.

Had the new grace period been in place, some but not all of the Windows vulnerabilities disclosed by Project Zero this year would have been kept under wraps until Microsoft had patched them, including the one Betz was angry about last month.

Some, however, would have still been revealed prior to patching.

One of those vulnerabilities had been reported to Microsoft on Oct. 17, with an expiration date of Jan. 15, when Google automatically unveiled details and proof-of-concept attack code. At the time, Project Zero's bug tracker asserted that while Microsoft had initially intended to patch the vulnerability on Jan. 13, it pulled the fix "due to compatibility issues" and rescheduled it for the Feb. 10 collection. It was, in fact, patched earlier this week.

A two-week grace would not have helped Microsoft in that case.

But the grace period should answer critics who took Project Zero to task for its hard-liner policy.

"Microsoft is never going to get a fix into the first Patch Tuesday after a report, nor in the second depending on the timing," said Chet Wisniewski, a security researcher with Sophos, in a January interview. Because of Microsoft's similar-rigid Patch Tuesday schedule -- the second Tuesday of each month -- Google's disclosure deadline could "push right against the deadline almost every time," Wisniewski argued.

The automated disclosure system also removed the human element, critics said. "Google's pretty big on things being automated, versus people-driven processes," pointed out John Pescatore, director of emerging security trends at the SANS Institute, also in a January interview on Project Zero's approach.

Wisniewski thought there was another reason for the automated disclosure, and the resulting inflexibility.

"If Google made it automatic, then it can't be accused of being vindictive," said Wisniewski, referring to previous clashes between Google security engineers and Microsoft, when that charge had been leveled against the former after they revealed bugs without giving Microsoft more than a few days to patch.

Storms saw the grace period as evidence that Google realized the all-automatic disclosure process wasn't appropriate.

"It's a 'gimme,' as in the vendor saying, 'Gimme a break, I'm so close to a patch,'" said Storms of the additional time. "You have to consider the goal, which is not to shame people, but to get things fixed. [The grace period] adds a human element to it, which is necessary."

As of Friday, there were two vulnerabilities on the Project Zero bug tracker that had exceeded the 90-day deadline. Both were for flaws in Adobe's Reader; Adobe had patched the bugs in December in the Windows version of Reader, but has not yet addressed the same vulnerabilities in the OS X version of the PDF program.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.