Google’s Project Zero, which tracks and reports bugs and exploits in software to the owner, caught a bit of internet backlash after revealing an exploit present in Windows 8.1, after the 90 day grace period ended.
Project Zero are a team at Google, they track and report on bugs and exploits in commonly used software, OS’s and other such items.If you aren’t aware of Project Zero – which has a delightfully super hero-esk code name – here are the basics:
Before revealing the bug to the public they give the owner a 90 day grace period in which to fix the issue. After that time is up Google publish details of the bug to their blog.
Usually the bug is fixed well ahead of time and the blog post simply serves as a detailed explanation of what the problem was and why it happened. Partly to educate and partly to show the many forms that exploits can take.
The issue with the recent Windows 8.1 exploit reveal is that Microsoft hadn’t fixed the issue yet. For a few more details on the story itself check out WeLiveSecurity.com.
“90 days is long enough…”
The lively discussion around Google’s Project Zero policy prompted me to ask Mark James, our very own security specialist, his opinion on the matter.
“I personally think it’s not necessarily a bad thing, finding bugs is a very important part of our security agenda,” Mark explains.
“As Google states, in most cases 90 days is long enough for the vendor to release a fix, after all there’s a very high chance that if Google know about it then hackers are already using it to do something bad.
“There is an argument that each bug that fails to be fixed within 30 days should have an internal notification and a case by case decision.”
Mark thinks that a firm hand and strong stance by Google is necessary: “let’s be honest quite often it takes a harsh stance to get things done and ultimately we want these bugs patched not hanging around being abused by the wrong people.
“I would imagine Google have done their own extensive testing and 3 months seems a decent amount of time to assess and fix any serious bug.
“If the timeframe is fixed for everyone at least you know where you stand, Microsoft are a major contender in the software business but should have no special privileges when it comes to bug fixing, they have more than enough resources and funds to get it fixed sooner rather than later.”
Not all bugs are born equal: for some 90 days seems like a generous amount of time for others, that are more minor, it’s a good push to encourage the company in question to fix it.
If you want to comment or stay up to date with the blog then join our LinkedIn Group.
Do you think 90 days is enough? Have you read the Project Zero blog before?