Google is continuing to investigate potential security flaws in its competitors’ software and threatening to publicly disclose these vulnerabilities if they are not patched within 90 days, despite a lukewarm response from targets like Microsoft and Apple, Bloomberg reports.
“Project Zero,” which is made up of an all-star team of team security researchers, has been running since July 2014. But the effort has become more of a hot button issue recently after Google revealed at least two security bugs in Microsoft’s Windows, prompting a aggravated response from the software giant.
In the most recent instance, in January, Microsoft had actively been working on a patch for a bug in Windows 8.1, and asked Google to hold fast until “Patch Tuesday,” Microsoft’s established date for the roll-out of bug fixes. This gives companies time to test patches before deployment. But Google refused to bend on its standard 90-day deadline.
In response, Microsoft’s security research group director Chris Betz wrote in a blog post that “the decision [by Google] feels less like principle and more like a ‘gotcha,’ with customers the ones who suffer as a result.”
A similar incident, this time with a bug in Windows 8, happened just weeks before the “Patch Tuesday” episode, the Verge reports. “Those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend on,” Betz said at the time.
While Project Zero is nominally devoted to upholding best practises in security, it’s easy to understand other companies’ frustrations. Google maintains a public database of all the bugs it discloses, but — as my colleague Julie Bort points out — there’s not a single one on there for Google itself.
“I’m not sure who made Google the official referee of the marketplace for vulnerability notification,” John Dickson, a principal with software security company, told Bloomberg.
Still, the project has its supporters. By refusing to bend on deadlines, it means that tech companies can’t be tempted to drag their feet on addressing the bugs. As a result, it narrows the window of opportunity for cyber criminals to potentially exploit the vulnerability.
“[Google’s] strict policy is good for the industry,” Rook Security Inc. manager Tom Group told Bloomberg. “If we have huge companies like Microsoft, Apple and Google going at each other and pushing for better security, it’s a win across the board.”
But Google has been accused of hypocrisy over Project Zero, too. When a major vulnerability was discovered in an older version of Android, the company refused to patch it, arguing users should update the entire mobile OS instead (something difficult to do for non-technical users). It’s estimated tht it affected as many as 1 billion people worldwide.
Google is notoriously proactive about its own security checks. The company has previously operated a bounty program that rewards security researchers for finding flaws in its software. Under new Vulnerability Research Grants, Google will even pay bug-hunters before an issue is found, the Register reports.
It’s a sensible move: When you’re going after your opponents’ security flaws, it’s best to have your own house in order first.