Predictably enough, sticking to a strict 90-day deadline for publishing details of sometimes serious vulnerabilities, regardless of whether there’s a vendor patch available, caused major industry furore.
In an ideal world, vendors should respond and patch vulnerabilities fast - and three months is plenty of time.
Having a deadline to deliver the goods or risk having customers dump your software or hardware because it’s exploitable may seem harsh, but it provides an incentive to take security concerns seriously.
Google’s also right in assuming that because its researchers can find the vulnerabilities, the bad guys are likely to have discovered them as well. Ergo, the longer end-users have to wait for a patch, the greater the danger.
Those are all valid arguments.
But that kind of approach clearly hasn't won Google any friends, because not all problems are the same - and that, too, is fair enough. For example, what if Project Zero had discovered the JASBUG misdesign in Windows and started the 90-day countdown?
JASBUG took Microsoft over a year to sort out because it meant changing fundamental parts of Windows, and testing the new code to make sure it worked and didn’t break anything inadvertently.
During that year, the researchers kept quiet about the issue.
We can't assume Google plays infosec hardball solely out of gallantry and concerns for end-user security. As an enterprise, Google faces enormous risks if end-user systems aren’t kept safe and secure.
If access isn’t secure, masses of customer data could be compromised or damaged. Should that happen, people will lose faith in Google and stop using it, or sue the company.
That’s the backdrop against which the recent developments should be seen - and it’s something that’s happened before: Microsoft’s security reputation was in tatters in the early days of the new millennium before Craig Mundie pieced together the Trustworthy Computing strategy pulled the company out of a pretty serious rut.
As the company has grown, Google’s started to slide into a similar hole. One good example is the fragmented Android mobile operating system that runs on millions of devices.
Even if Google patches some of the many vulnerabilities found in older versions, vendors either can’t or won’t patch customer devices - or provide an upgrade to newer versions of Android.
Nor can Google force its vendor partners - or their millions of end-users - to act and secure their vulnerable devices.
That situation is so bad that Google’s dropped support for a core OS component that it can’t patch in older versions of Android, and asked people to use alternative software instead.
With that in mind, it’ll be interesting to watch what happens this year when the Project Zero security shock troopers start ripping into Android and Chrome as promised.
Will they be as firm with the 90-day disclosure policy with their own vulnerable systems?