Ethics and software bugs
Matthew Martin
4/28/2015 09:45:00 AM
Tweetable
One could doubt the arbitrary 90-day limit. Several software makers, including Microsoft, have been caught just on the edge with a fix prepared within 90 days but unable to push it to users in time to beat the deadline. The Microsoft case forced Google to revise policy so companies can get a short extension if a fix is almost ready, but in other situations, 90 days might simply not be long enough to devise a fix.
But even ignoring those issues, I'm still not convinced that publishing the details is the right approach. It's easy to blame software makers for not taking care of a security risk, but they aren't the only parties to be concerned with. The fact is that a pretty large share of software users regularly delay or even refuse security updates. Sometimes they simply aren't able to update right away--spotty internet connection or limited battery life, for example, or even just a busy in-real-life schedule that can't be bothered with computer stuff. Others actively distrust updates--it's often hard to tell the difference between a critical security update and spam wanting to install crapware. And a third group--possibly a majority of computer users--are simply apathetic, and don't understand the security risks.
Thus, most software makers seem to be able to satisfy the demands of Google's doomsday device, but we really don't know what share of software users do the same. I'd bet the numbers are not good.
I guess the moral in all this is you should make sure you always have all your updates for all your software and operating systems on all your devices. Because Google is telling everyone how to hack them.
A second (and IMO weaker) argument is that the arbitrary but standardized time limit incentivizes software vendors to react promptly to security flaw disclosures. It's an argument similar to that made for the existence of criminal punishment.