In September, Project Zero discovered a bug in Windows 8.1, allowing a malicious user to gain administrative access. To their credit, they granted Microsoft their standard 90-day window to release a patch, but when Patch Tuesday fell only two days later, the vulnerability was published. Whilst it is important that researchers follow up on their claims, otherwise vendors have no incentive to fix the bugs, in this case the inflexibility appears unfair.
Then in October, the same team uncovered three Apple OS X zero-days, publishing these again after 90 days along with proof-of-concept exploit code. Revealing the vulnerabilities in rival’s systems might appear quite crafty, but distributing tools to break into these networks is very devious. If Google’s security was excellent then you could excuse them from targeting competitors, but the number of unfixed Android bugs undermines this stance. They have since relaxed their approach, granting vendors another 14 days if a patch is scheduled, but publishing offensive code should not be condoned.
However, the key issue here is not that Project Zero publicise vulnerabilities, nor that they shame other companies’ insecurity. Indeed, pressuring vendors to improve security is important as it barely factors in their current strategies. The problem is that Google can hurl vulnerabilities at their rivals through an affiliated group and these competitors cannot return fire. What we need are more Project Zero’s.
In a world where all tech giants possess an offensive hacking team, if bugs are responsibly disclosed, security for everyone improves. Rather than the public being held to ransom through corporate bickering, as appeared to occur in the Windows case, Microsoft could respond by highlighting the vulnerabilities in Chrome that need addressing. Security finally starts to become a competitive advantage as companies try to avoid public shaming over their insecure systems, and vendors actually invest more time testing products before they are released. There is a risk that in the blizzard of vulnerability reports, consumers might become blasé over bug announcements, but over time the average security of software should only increase.