To people calling this a dick move by Google, I encourage you to look at the actual issue in Monorail. The reason given for not extending the deadline was that the issue is not particularly severe, and there are also similar bypass issues which are currently unpatched. If it isn't going to help protect customers, what's the point in granting an exception?<p><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1514#c3" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=15...</a>
The only "dick move" involved here is the fact that zdnet wrote this article. Minor security issue lapses standard disclosure deadline? Who cares. Instead we get this attempt to sensationalize this into some kind of big Google vs. Microsoft rivalry.
Original source: <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1514&q=" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=15...</a>
<i>Google reported the issue to Microsoft on January 19. Microsoft confirmed the issue about three weeks later</i><p>Microsoft should make a mental note that when you receive an email from a member of Google's Project Zero team you don't wait 3 weeks to respond.
Google, you have 90 days to stop tracking web users, then Windows will start asking desktop users if they would like to block tracking by filtering DNS requests
Why 90 days? Why not 30, 14, or 7?
Microsoft might have requested responsible disclosure for exploits affecting Windows, but what gave Google the right to set a deadline?<p>I feel the 2 US companies have a friendly competition with each other which can help secure their systems.
I think there are so many point of views here. I'm not going to defend Google nor Microsoft, but imagine you're paid by Google to work on security issues. What would be the metric to prove your existence, if there is no public awareness of your work, like this zdnet article? Project Zero IMO from time to time need to show they exists and doing great job. I think that could be one of reasons, why they resists to prolong standard 90 day period.
Read about the details. Wow, having a bug like this being discussed so broadly shines a bad light on Google IMHO. Its appears like targeted news against Microsoft. It's not mich newsworthy defense in depth issue. If an adversary can modify the registry, they can do a lot more harm.
Denying the deadline extension to May 8th [1] is quite a dick move by Google, considering that it took them 6 <i>months</i> to fix the extremely harmful sitemap ranking bug in their search engine[2]. And after they fixed the bug, they only paid peanuts to the researcher for a bug that could've cost Google's customers tens of millions in misplaced ad campaigns.<p>1: <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1514#c3" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=15...</a><p>2: <a href="http://www.tomanthony.co.uk/blog/google-xml-sitemap-auth-bypass-black-hat-seo-bug-bounty/" rel="nofollow">http://www.tomanthony.co.uk/blog/google-xml-sitemap-auth-byp...</a>