Disclosure of vulnerability is not only important but also sensitive. When dealing with vulnerability disclosures, security researchers and software companies need to act together and work cohesively as a single unit so that customer’s benefits could be guarded.
From past many years, Microsoft is working with its full efforts to plan out counter measure that could stand to take action against the malicious activities that attempt to weak the devices and services on which large number of customers rely and trust. Microsoft has come up with several vulnerability disclosures on several third party softwares as well.
However, recently, Microsoft pulled up Google and seemed visibly miffed for publishing Windows 8.1 security vulnerability even though when the update was just round the corner.
The search engine giant released the information about Windows 8.1 security vulnerability even though they were requested not to do so since Microsoft had planned to release the fix against the vulnerability till Tuesday, January 13. Questioning Google’s timing of the disclosure, Microsoft replied that by doing so, the security of millions of customer can be compromised as someone can use that vulnerability to plan their attack. Microsoft has asked Google to work collectively as protection of customers has to be the final goal for both the companies.
Chris Betz, Senior Director, MSRC Trustworthy Computing, said at the TechNet Blogs,
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal”.
Asking Google for better co-ordination and responsible behaviour Microsoft said that it believed in Coordinated Vulnerability Disclosure (CVD). According to Microsoft policies, it is necessary to fully discover the vulnerability against various factors and issue a ‘fix’ before disclosing it directly into the public. This could minimize the risk to the customers and can avoid cyber crimes to take place. If the vulnerability is disclosed privately with cooperation and it is being fixed each year by the vendors then cyber criminals get minimum opportunity to commit cyber crime.
Microsoft further said that people should understand that remediation to the vulnerability is complex, extensive and time consuming process. It takes years of experience to attain sufficient knowledge to look insight the vulnerability and measure the effect that it can cause to the systems. It has to be calculated keeping various dimensions in mind and then get to the conclusion and take try to fix it.
Microsoft has taken up the responsibility to work in customers best interest in coordination and cooperation of software vendors to protect the customer and reduce cyber crimes to the best of their abilities.