Vulnerability Disclosures: Who should be in charge? The US Department of Code, of course!

Microsoft and Google disagree about the mechanics, reporting, and resolution of bug disclosures. They are not the only ones with this disagreement. According to Ars Technica, the security community has two schools of thought on this issue:

(1) Coordinated Vulnerability Disclosure (CVD)

Flaws are disclosed in private to the developer.   Details are not published until the bug is fixed and a patch distributed.

(2) Full Disclosure

Security flaws should be documented and described in full, in public, typically onto a mailing list.

Microsoft favors (1) CVD whereas Google favors (2) Full Disclosure

Normally the two companies would simply “agree to disagree”.

However, Google discovered a bug in Microsoft code that it privately reported to Microsoft. Microsoft did not publish a patch within 90 days. Google’s policy is to give developers 90 days to release a bug fix, and then go public. So, Google went public even though Microsoft planned to release its patch on day 92. Day 92 coincided with Microsoft’s “Patch Tuesday” – the day when Microsoft releases all bug fixes and patches.

What is the solution? Who is right and who is wrong? What were the potential risks?

Our concern is that the two companies could not privately and quietly work out an amicable solution. This leads us to believe that an independent third party with a mandate for assuring cyber security should arbitrate this type of dispute.

Who is this third party? The US Department of Code. As we noted in an earlier blog:

Just like the USDA inspects food to prevent unsafe and unsanitary conditions for the public, a U.S. department of code would create established software standards that are enforceable by law. This would place more responsibility on developers to discover and fix bugs before software is released. –

Our guess is that the US Department of Code would favor Coordinated Vulnerability Disclosure, but it would insist that the bug fix be released as early as possible. There would be no waiting for “Patch Tuesday”. If this was not convenient for IT administrators, too bad. The requirement for high quality software and security would trump convenience.