Looks like they thought this would get fixed:<p>> I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline).<p>Worth mentioning that "Goes Public" implies there was a human who pulled the trigger; it was a bot:<p>> This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.<p>...<p>> Deadline exceeded -- automatically derestricting
This is not the first time Google has disclosed unpatched vulns in Microsoft product [1]. Anyone know any more?<p>What's up with them not being able to patch on time? How is <i>90 days</i> not enough to get a patch out the door? That's a quarter, for goodness' sake!<p>1. <a href="https://news.ycombinator.com/item?id=12841672" rel="nofollow">https://news.ycombinator.com/item?id=12841672</a>
"Project Zero's disclosure deadline policy has been in place since the formation of our team earlier in 2014. It's the result of many years of careful consideration and industry-wide discussions about vulnerability remediation. Security researchers have been using roughly the same disclosure principles for the past 13 years (since the introduction of "Responsible Disclosure" in 2001), and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy.<p>On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security - it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response."<p>From <a href="https://www.engadget.com/2015/01/02/google-posts-unpatched-microsoft-bug/" rel="nofollow">https://www.engadget.com/2015/01/02/google-posts-unpatched-m...</a>
Google owns a decent chunk of CloudFlare. They shared the flaw as they should last week.<p>I see nothing close to Google trying to get MS. Instead it is what should be done.<p>Mow me with things like Scrougle and MS replaced YouTube as with their own i probably would not be so nice.<p>Look at Amazon will not allow Chromecast to be sold on their site. Personally i would have removed Amazon from their search engine but not Google.<p>Look at Uber. If i was Google i would use my power to destroy but not Google.<p>Feel how ever you want about Google but let's at least be fair.
> This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.<p>Is this a common pattern in the bugs world ? publicizing a critical bug after 90 days of no response ?
The bug doesn't make it clear; was this issue reported to Microsoft?<p>I wasn't sure if I missed a sign of notification, or if vendors are automatically cc'd/whitelisted on restricted bugs for their products.