Security experts weigh in on Microsoft-Google security vulnerability disclosure

Security experts weigh in on Microsoft-Google security vulnerability disclosure

In December, WinBeta reported on Microsoft bug found by a Google researched named “forshaw.” Yesterday, the first Patch Tuesday of 2015, Microsoft released a patch fixing the security flaw. Microsoft has since blamed Google for the negligent and unprofessional disclosure. Google countered that it originally shared the information with Microsoft on October 13, 2014 giving a strict 90-day disclosure policy. Microsoft asked Google not to release details about the issue until a fix was released. After the 90 days were up, Google shared the details of the bug publicly before Microsoft created a fix.

It is unclear whether Google or Microsoft are to blame for this clear failure of communication, but hopefully there is a way companies can deal with these problems quietly without releasing this kind of information publicly. Michael Taylor, lead developer at Rook Securities, gave his opinion:

Google provided Microsoft ample time to identify and create a suitable patch for this issue. Microsoft had two full patch cycles to address this vulnerability before Google disclosed it publicly. The question is why Microsoft was unable or unwilling to address these vulnerabilities in a timely manner.

I do not know which company is right or wrong, but I think there should be a better system in place for sharing this sort of private information. Surely, Google would not want such a security flaw publicly exposed on their Android OS. Researchers want to know that vendors take their vulnerability discoveries seriously and maybe the Google leak was the researchers’ way of getting the attention that they deserve.   

I feel like Google gave Microsoft adequate time to create a patch for the security flaw. Microsoft seems heated that the information was shared publicly; allowing the flaw to be exploited. I think Google releasing the security vulnerability, with the code to exploit the vulnerability is irresponsible. I think Google should have taken more steps in contacting Microsoft about the security flaw, regardless if the companies are competitors or not. 

Your thoughts?

Share This
Further reading: , ,