Google's Project Zero team publicised an unpatched flaw in Windows systems on Sunday. The Windows 8.1 affecting bug was therefore more likely to be exploited by hackers, malware writers and the like before it could be patched later today – Patch Tuesday.
The Project Zero team find software bugs and vulnerabilities and give developers 90 days to fix the problem before making the problems public. Google initially told Microsoft about the Windows 8.1 bug on 13th October 2014. So following its own pre-set rule it publicised the bug on Sunday, the 11th January.
The inter-company friction arises from the following: Microsoft had asked Google to delay its making public of the bug information for a couple of days so Windows users could be patched. However it seems like Google wouldn't break its own 90 day rule and went ahead to make public the flaw on Sunday.
Google 'Gotcha'
In response to Google's lack of flexibility, Microsoft exec Chris Betz wrote in a blog on the company's site on Sunday "We asked Google to work with us to protect customers by withholding details until Tuesday, Jan. 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result." Betz added "What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
Opinion is split between whether Google was right to publicise the bug on principal, or it should have had some flexibility to help protect Windows users. The BBC has quotes from supporters on both sides of the argument but at the time of writing Google is yet to officially respond to the Microsoft TechNet blog post by Chris Betz.
What do readers think about Google Project Zero and its disclosure of the unpatched bug in this case?
