Google's Project Zero is not the only research group that imposes a disclosure deadline. HP's ZDI's policy is to make reported flaws public after 120 days. In fact, ZDI has also automatically reported Microsoft zero-day flaws.
In May 2014, HP ZDI publicly reported the CVE-2014-1770 vulnerability, a zero-day flaw in Microsoft's Internet Explorer browser. That particular flaw had first been reported to Microsoft on Nov. 11, 2013, and HP ZDI actually waited more than 180 days before publicly disclosing the issue. HP ZDI shortened its disclosure deadline from 180 days to 120 days in March 2014.
In response to a question from eWEEK about Google's disclosure deadline policy, Microsoft provided a generic response about its view on disclosure. "It is always important to think first and foremost about the safety of computer users," a Microsoft spokesperson stated in an email. "As a result, we believe in coordinated vulnerability disclosure that allows technology companies to provide ways for their customers to respond before technical details are released publicly."
The debate over disclosure deadlines is not likely to subside any time soon. When zero-day bug information is released publicly, end users are, no doubt, left at risk. The question, though, is whether they are at more or less risk as a result of a bug that is made public before a patch has been issued. Does pushing out a public vulnerability disclosure embarrass the software vendor to act?
In the case of the CVE-2104-1770 Microsoft Internet Explorer vulnerability, HP ZDI publicly disclosed the issue on May 21, 2014, and Microsoft patched the issue on June 10, 2014 . Given that HP ZDI first reported the issue in November 2013, perhaps the public disclosure was the little push that was needed to finally get CVE-2104-1770 patched.
Whether Microsoft will be able to keep pace in 2015 with the volume of disclosure deadlines it faces from security researchers will be interesting to watch. HP ZDI has a public listing of its upcoming disclosure deadlines, and Microsoft is on the list with multiple upcoming deadlines, the first being Feb. 2. Will Microsoft patch in time? Only time will tell.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.