Microsoft blasts Google for vulnerability disclosure policy

Expert says coordinated disclosure is a form of censorship

full disclosure
Credit: Jen Anderson

After Google disclosed a second Microsoft vulnerability, complete with proof-of-concept code, the software giant accused them of playing 'gotcha' in a blog post heavy on criticism for Google's 90-day reporting policy.

But really, this is just another way for them to debate disclosure policy.

The latest shot fired in the war on disclosure happened on Sunday, January 11. Google's Project Zero, for the second time in less than a month, disclosed an unpatched privilege escalation flaw in Windows 8.1. The disclosure came 90-days after it was initially reported, on October 13, 2014, following Google's policy for such things.

Microsoft had initially asked Google to hold off on publishing details, because they planned to fix the problem in February's patch release.

"Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015," Google's notes explain.

In response, Microsoft said a patch for this latest bug would be delivered January 13. However, the entire process has left Microsoft feeling a bit salty. In a blog post, Chris Betz, senior director with Microsoft’s Security Response Center, said that they tried to work with Google, but the search giant wouldn't budge.

"Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," he wrote.

"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."

The post goes on to encourage researchers to use Coordinated Vulnerability Disclosure (CVD), which Microsoft says works better than full disclosure.

From the blog post:

"CVD philosophy and action is playing out today as one company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so...

"Microsoft has long believed coordinated disclosure is the right approach and minimizes risk to customers. We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon...

"Of the vulnerabilities privately disclosed through coordinated disclosure practices and fixed each year by all software vendors, we have found that almost none are exploited before a “fix” has been provided to customers, and even after a “fix” is made publicly available only a very small amount are ever exploited. Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cybercriminals more frequently orchestrating attacks against those who have not or cannot protect themselves."

Microsoft's thoughts on disclosure have been clear for years. They've championed the responsible (or coordinated) disclosure cause since the early 2000s, when the company was the favorite platform for security researchers. But others don't agree – and that's why the issue is so hotly debated.

1 2 Page 1
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.