NewsCriticism Rises for Google's 90-Day Bug Disclosure Policy

Criticism Rises for Google’s 90-Day Bug Disclosure Policy

Developer.com content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

About six months ago, Google started Project Zero, an effort to find software vulnerabilities in popular applications. When Project Zero researchers find a bug, they give the developer just 90 days to fix it. They recently disclosed flaws in Microsoft and Apple products.

Chris Betz, senior director of Microsoft’s Security Response Center (MSRC), criticized those disclosures, writing, “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

Paul Ducklin, head of technology for security vendor Sophos, also criticized the move, writing, “As far as we can see, Google’s high horse about 90 days being enough for a ‘broadly available patch’ isn’t really borne out in its own Android ecosystem. Security patches may make it into Google’s Android Open Source Project in just a few days, which sort-of makes them ‘broadly available,’ yet those same patches often can’t be deployed by Android users for weeks, months, years, perhaps even ever.”

View article

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Latest Posts

Related Stories