Security is a part of every IT company’s development process because their customers need to be safe and protected from cyber threats. Google, through its “Project Zero”, has a policy of bug discovery and disclosure which forces companies to patch bugs in their code fast or be outed. Recently Microsoft has been at the receiving end of this security policy when Google publicly posted malicious code to exploit vulnerabilities in Windows, even as Microsoft was working on a fix, delivered just a few days after Google’s “deadline”. Now the rigid automated security initiative will be slightly relaxed when it comes to the automatic disclosure of bugs.
The new policy will give companies two extra weeks if the bug is actively being patched. Also Google will not disclose on weekends or holidays giving companies more working hours to focus on their rollout. These new delays in releasing bugs and sample code could have prevented a couple of Windows vulnerabilities from being published, but some would have been released anyway. Microsoft had planned to fix a bug in the January patch Tuesday but pushed it back a month due to compatibility, and Google’s new two weeks wouldn’t have been enough to prevent the malicious code from being released.
While this is a step in the right direction there will still be several cases where companies don’t patch their code in time. Companies like Microsoft and Adobe have massive install bases with billions of computers running their code and their development and testing time would be significantly longer than small companies. However popular software packages also have the greatest potential to put the most people at risk with security flaws so patching code fast needs to be a priority. Google’s security project seems well intended and seems to be aimed at protecting consumers, but time will tell if their efforts do more harm or good. In the meantime popular software products like Windows and Adobe Reader and Flash may remain the focus of Google’s well intended corporate bullying.
