January 29, 2015
The recent conflict between Microsoft and Google regarding Google’s adherence to their 90-day disclosure policy of software vulnerabilities has brought a debate to light that has raged on for several years now.
Responsible disclosure has been a problem that has yet to be resolved in a way that both parties can agree on. On one hand there are the researchers who discover vulnerabilities in software that criminals can exploit and use to target unwitting and innocent users; on the other hand are the companies who make the software and are responsible for patching these vulnerabilities.
The question is not who is right, for that depends upon which side you’re on.
The researchers are right to be concerned about a vulnerability that they know exists and which could potentially put those who don’t know about it at risk. Their view is that if a security researcher was able to find the bug, then criminals, who search for such bugs in order to exploit them, could find them too and use them for nefarious means.
The software developers are right to be concerned about a vulnerability becoming public before they have been able to provide a patch. Their view is that it is irresponsible to disclose an exploitable security vulnerability, complete with exploit code, prior to a patch because it is essentially inviting a criminal to exploit it.