A while ago Google announced its project zero, which is a team of security researchers, whose goal is to find bugs in software, so that you, dear user, can use the web and technology securely. They were very up front about how the team would work. They would report bugs and vulnerabilities that they have found to the companies or people responsible for maintaining the software. Google would give the developers 90 days to fix the bug and then let the world know about it.
It turns out that Microsoft Windows has a few bugs in it(who knew?). On more than one occasion Google discovered vulnerabilities in Windows. On two of these occasions Microsoft was notified of these vulnerabilities and was “unable” to patch the vulnerability before the 90 days elapsed. I have read many articles about this and I feel like they are almost all completely out to lunch. I won’t even link to them because I feel they are so poorly informed on this topic.
Tell Me A Secret
There are basically 3 types of disclosure. Non disclosure, where a security researcher finds a vulnerability, and informs the software vendor about it, but the public at large never finds out about it. The vendor may fix the issue, they may not, there really isn’t much motivation to fix the issue. Due to the nature of it, we don’t know how often this happens, but I think it is safe to say that it happens more often than most people think, and more often than it should. Full disclosure is the other end of the spectrum, where the vendor finds out about the vulnerability at the same time that the public does. Many people, including myself, feel that this type of disclosure is often dangerous. Unfortunately it is often very effective in motivating the company to fix the issue as the publicity generated by the disclosure is often higher than it would be under different circumstances. The middle ground is something called responsible disclosure. This is where the vendor is notified about the vulnerability ahead of the general public. Sometimes the timeline for public disclosure is days or weeks, often it is months, sometimes even years. The public is arguably safer than with full disclosure, as random bad guys can’t take advantage of the vulnerability until it is disclosed. So it is the very definition of a compromise. The company is more motivated to fix the vulnerability than with non disclosure. Many flame wars have been had over the disclosure debate. For some weird reason, the infosec community have never really had the chance to have a proper, grown up conversation about how disclosure should happen. Because of this, responsible disclosure means different things to different people. It is a loose, de facto, “standard”? I guess. The length of time given to fix the vulnerability is often tied to how difficult it is to patch it. If it requires just a minor server side update, disclosure doesn’t need to be very long after it is fixed. If it something hard coded into point of sale terminals it may take years to patch the vulnerability, disclosure may have to wait that long. If you asked most infosec people what a fair term before disclosure was, they would likely say 90 days.
Didn’t a Microsoft Employee Coin the Term “Responsible Disclosure”?
Most articles have either demonized Google for disclosing, or touted how they unilaterally decided the terms of their disclosure policy, or focused on why Google didn’t wait for Microsoft to fix the vulnerability. The problem is that if they gave Microsoft more than 90 days, it would slip to 120, then 150 days etc. It wouldn’t happen in each occasion, but it would delay things, meanwhile users are vulnerable to the problem, without knowing it. The reason that you set a date and stick to it, is that you can not play favourites with vulnerabilities.
What Exactly Is It That You Do Again?
The following is what was missing from all of the articles that I have read about this story. So Microsoft Makes software, yes? They also make software that helps you make software. As pioneers of it, I think they understand the software development lifecycle. They should be decently good at it, at this point. If an organization with the resources of a company like Microsoft can’t fix these issues in 30 days, let alone 90 days, then surely there is no hope for any of us.