About six months ago, Google started Project Zero, an effort to find software vulnerabilities in popular applications. When Project Zero researchers find a bug, they give the developer just 90 days to fix it. They recently disclosed flaws in Microsoft and Apple products.
Chris Betz, senior director of Microsoft’s Security Response Center (MSRC), criticized those disclosures, writing, “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
Paul Ducklin, head of technology for security vendor Sophos, also criticized the move, writing, “As far as we can see, Google’s high horse about 90 days being enough for a ‘broadly available patch’ isn’t really borne out in its own Android ecosystem. Security patches may make it into Google’s Android Open Source Project in just a few days, which sort-of makes them ‘broadly available,’ yet those same patches often can’t be deployed by Android users for weeks, months, years, perhaps even ever.”