Google’s longstanding policy has been to inform the company that owns the software when a security flaw is found. Google’s thresholds are seven days for an announcement, and ten days for a patch. If neither of those things happen, Google makes the announcement.
Seven days after Google informed Microsoft of this latest security flaw, the software giant had not released any information to its massive user base. So Google, in keeping with its policy, made the announcement, causing Microsoft to cry foul.
Microsoft’s position is that seven days is an extremely aggressive timeframe, and for software as complex as Microsoft’s Operating System, it’s seldom enough time to even research and verify the problem. Ten days is certainly insufficient time to prepare and properly test a patch.
Google’s view on the matter is significantly different. From their point of view, informing the public does two things. First, it spurs the company that owns the software in question to action. Once the flaw is widely known, the clock starts ticking, and it’s just a matter of time before hackers begin to ruthlessly exploit it.
This has the benefit of making the entire ecosystem stronger.
Google also contends that it’s good policy because it lets the users of the software in question know the risks they face. If the vendor isn’t forthcoming, someone has to be. There’s something to be said for both sides of the argument. On one hand, this has been Google’s standard practice for years now, and it has had the desired effect. Companies are very quick to apply resources to fixing critical security flaws, limiting the risk in the long term.
On the other, announcing security flaws to the wider public carries certain risks. In their haste to fix the immediate problem, companies may not have the time to properly test their new patch, which could lead to the introduction of additional flaws. It also alerts the hackers of the world to new opportunities. Granted, the window tends to be small, but they can inflict significant damage, even in a limited window.
In this instance, since the security flaw was already being exploited by hackers around the world, Google seems to be on the right side of the issue, but things are not always so clear cut.