Microsoft and Google have been bitter rivals for at least a decade, and the pair have had several disagreements over security vulnerability disclosure in recent years. Google is stoking those disagreements again this week by disclosing a Microsoft Edge security flaw before a patch is available. Neowin spotted that Google disclosed the security flaw to Microsoft back in November, and the company provided 90 days for Microsoft to fix it before going public as it’s rated “medium” in terms of severity.
Google also provided Microsoft with an additional 14-day grace period to have a fix available for its monthly Patch Tuesday release in February, but Microsoft missed this goal because “the fix is more complex than initially anticipated.” It’s not clear when Microsoft will have a fix available, and the Google engineer responsible for reporting the security flaw says because of the complexity of the fix Microsoft “do not yet have a fixed date set as of yet.”
The public disclosure will likely anger Microsoft, once again. The software giant hit back at Google’s approach to security patches last October, after discovering a Chrome flaw and “responsibly” disclosed it to Google so the company had enough time to patch. At the heart of the issue is whether Google’s policy to disclose after 90 days without a patch is reasonable. Google makes exceptions to this hard rule, with grace periods, and can even disclose much sooner if the vulnerability is being actively exploited.
Two big and obvious exceptions to Google’s security disclosure rules were the recent Meltdown and Spectre bugs. Google engineers discovered the CPU flaws and Intel, AMD, and others had around six months to fix the problems before the flaws were publicly disclosed earlier this year. Chrome OS and Android devices were also affected by the processor flaws, along with Windows, Linux, macOS, and iOS.
Google wants the industry to adopt its aggressive disclosure policies, but Microsoft has so far resisted rather publicly. This latest episode isn’t as critical as some of the past disclosures, but it will likely reignite the debate over whether Google, a company with competitive commercial interests, should be leading the way security flaws in rival operating systems are disclosed in the public interest.