Question

Introduction

The debate over “responsible” disclosure of software vulnerabilities has been a mainstay in the security space. In 2015, new fuel was added to the fire as Google disclosed a Microsoft Windows vulnerability, along with exploit code, two days before the scheduled patch. (Exploit code is the stretch of code that hackers can exploit to hack software.) And in 2018, the debate came back into the forefront with the infamous Intel Spectre and Meltdown chip problems.

The Google-Microsoft conflict highlights the issues that can arise between companies around disclosure. The Spectre and Meltdown flaws show how vulnerabilities can pit companies against the U.S. government and consumers.

Company v. Company Disclosure Debate

In 2015, the bug was found by Google’s in-house security research team, which searches for vulnerabilities in Google software, as well as that of other vendors, including Microsoft. Upon finding a vulnerability, Google adheres to a strict 90-day policy: Vendors are notified of the bug, and a public disclosure is automatically released 90 days after, regardless of whether the bug has been addressed.

Microsoft initially asked for an extension beyond the 90 days, which was denied by Google, as was a request to extend the disclosure date to the first “Patch Tuesday” of the month (the second Tuesday of the month, and preferred release date for patches for developers).

Microsoft criticized Google in a blog post, accusing the company’s decision of being a “gotcha” opportunity, and at the expense of the users, who were at risk for the two days between the disclosure and the patch release. Microsoft reiterated its support for “Coordinated Vulnerability Disclosure,” which calls for security researchers to work closely with developers in ensuring a fix is released before the public disclosure.

Google, and supporters of similar disclosure policies, argue that firm disclosure dates prevent developers from sweeping vulnerabilities under the rug, and should strike a balance between the public’s right to know and providing the developer a chance to fix the problem. Many take an even harder stance and propose that immediate public disclosure is the best policy.

Shortly after this incident, Google released an additional update on three Microsoft vulnerabilities.

Discussion Questions

• What should Google and Microsoft have done differently, if anything?

• Did the release unnecessarily put users at risk, or is it in the best interest of users in the long run for Google to stick to its disclosure policy?

• Is Google’s firm, 90-day policy fair? Or should it be willing to adjust depending on the situation?

• Did Microsoft adequately respond? Is sticking to “patch Tuesday” enough of a reason to wait to release the patch?

• Should Google have published the exploit code?

• What obligations do security researchers have, or are they free to publish their work as they please?

Answer 1

solution-

answer 1 - the thing that google have done differently should be that they must not release software vulnebarities with exploit code instead they must provide advisory for the vulnerabilities and microsoft must try to improve its bug in meantime instead of asking for more time.

answer 2 - yes the release is good at some extent as it awares users of the bug or software vulnebarities but it must be realeased without the explicit code but google disclosure policy is good for users in long run.

answer 3 -the google 90 day ploicy is good but it should be adjusted according to the situation as sometimes required time is genuine.

answer 4 - no sticking to the patch tuesday is not right they must try to release the patch as early as possible

answer 5- the google must not publish the exploit code as it is dangerous and make its unsecure and hackers can attack it