Google's 90-Day Exposure Policy

At the beginning of this month, I wrote a post about Google's new policy of researching vulnerabilities of other companies' technology and platforms, and then posting the details of the flaws and (more controversially) some sample exploit code.

Microsoft has responded with a blog posting from Chris Betz that called for better Coordinated Vulnerability Disclosure (CVD) where Chris comments that;

"Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp."

You can read more about Microsoft's disclosure approach (CVD) here. 

I am still struggling with my views on this topic, as I feel that Google may have slightly over-played their hand here, by publishing sample code and releasing the information the day before a patch was to be released from Microsoft. Google says that 90 days is enough to sort out a bug and deliver a patch. Really? For who? And, does Google have to support four desktop and server operating systems with over a billion users?

"Not my problem" says Google. 

Yeah, and not cool, either" I would say.

Chris Goettl, the Patch product manager from Landesk has this to say: 

"There was no public code examples or disclosure before Google announced this, and no known attacks were in the wild.  In this case I think Google acted irresponsibly. In the increasingly more dangerous Cyber world we live in, companies like Microsoft and Google should be setting examples to follow. This example is not an example I would urge vendors to follow."

I agree.

And now Google has published another Windows flaw, and this one is even worse (more dangerous) than the first reported issue. This flaw may result in an information disclosure scenario where Windows does not check the user identity when performing cryptographic operations. You can read more about this flaw here.

To their credit, Microsoft has been working on this issue, had developed a patch, but at the last minute encountered some compatibility issues with the security update. The fix is now scheduled for the February Patch Tuesday update cycle. 

Given that it takes some organizations between thirty and sixty days to fully deploy a patch to all their affected system, it looks like Google's "90-day disclosure policy" is  more like a "90-day exposure policy".