Google Discloses Details of an Unpatched Microsoft Vulnerability
Google’s Project Zero is serious about releasing the details of security vulnerabilities 90 days after they alert the vendors, even if they’re unpatched. It just exposed a nasty vulnerability in Microsoft’s browsers.
This is the second unpatched Microsoft vulnerability it exposed last week.
I’m a big fan of responsible disclosure. The threat to publish vulnerabilities is what puts pressure on vendors to patch their systems. But I wonder what competitive pressure is on the Google team to find embarrassing vulnerabilities in competitors’ products.
Michael P • March 9, 2017 6:53 AM
Having a disclosure policy is not worth much if a vulnerable product’s creator can thwart disclosure to the public by arbitrarily bumbling the process of creating and releasing fixes. Google stretched their disclosure timeline for at least one Microsoft bug last year, and Microsoft (arguably) grossly abused that tolerance. This may be largely a signal that Google is not going to let it happen again.
Meanwhile, black hats are probing to find the same bugs, and are not going to delay at all when it comes to exploiting the bugs.