Welcome To Trade Directory Blog

Calculation of Bug Disclosure, Microsoft and Google


Again we are having the fight of Microsoft and Google on the issue of recurring bug disclosure. Few Days ago Google has revealed that there is some existence of a Windows elevation of privilege flaw which company privately reported in October 2014. This flaw hasn’t been repaired yet. It will be very soon according to Google but publication of the flaw means that for some days the Windows (Computer Software) users are weak to an unfixed flaw.

In the result of Google claim, Mr. Chris Betz, senior director of the Microsoft Security Response Center, published a lengthy complaint calling for “better coordinated vulnerability disclosure.” According to him, Microsoft Company has been promoting “coordinated vulnerability disclosure” since 2010, but the security community is still divided on how best to disclose security flaws. There are two extremes in security community, one extreme is demanding for full disclosure, fully documented and described in public, typically by a mailing list. More surprisingly is that it is the first time that the computer software developer heard of any flaw and some of computer software developer also promised to disclose the flaws to vendors first.

The vendor Microsoft intended to find a different approach to favor the Responsible Disclosure. In responsible disclosure, the flaws would be disclosed in private to the computer software developer, and details would not be published until the bug was fixed and a patch distributed. This traditional approach was problematic, so Microsoft rebrand the concept as “coordinated vulnerability disclosure” (CVD).This approach works in much the same way as responsible disclosure, though it opens the door to public disclosure before patch availability.

Other than Microsoft, Google’s policy is about full disclosure. The company gives computer software developers 90 days to release a fix, after which Google will go in public with the flaw. That’s what Google did here. This was the Google’s hard-line stance. Even without a fix, knowing details of a bug can often permit various kinds of vindication to be implemented, allowing for some kind of protection against exploitation. With the risk that the bug is known to malicious parties even this limited protection can be valuable.

This entry was posted in Technology and tagged , , , , , . Bookmark the permalink.

Comments are closed.

Copyright © 2010 - 2019 TradeDirectory.com - All Rights Reserved.
 About SSL Certificates