Google Project Zero Is a Project…
…where Google discovers security bugs (not exclusive to their own software or technology) and once they notify the owner of said software the countdown clock begins.
Once 90 days ends Google will as threatened reveal the bug publically.
Screencapture: from the Google Project Zero homepage
The idea behind this is to encourage a safer internet for all but there are inherent questions when it comes to Google and Microsoft.
The long running feud between Google and Microsoft has displayed a variety of outright hostile behaviors: –
- Microsoft’s Scroogled campaign.
- Google’s repeated blocking of apps like Google Maps or YouTube from making it onto Windows Phone (after working in collaboration with Microsoft to develop the app).
- Google’s attempts to shut down ActiveSync in favor of their own CalDav and CardDAV.
- Microsoft’s GMailman Ad.
These and many more reflect the harsh competition between the two companies in many areas:
Search, Location, Online Productivity Apps, Cloud Storage, Mobile, Mobile Apps, Operating Systems, Browsers and more.
Forget about “Hello I’m a Mac and I’m a PC”. This isn’t just negative marketing but has reached a point where users are being affected.
The Warptest POV
The main concern is that this situation seems to be only escalating and the consumer may benefit long term but could be harmed in the short term… DO NO HARM .. remember that?
The whole issue is exacerbated by the resounding absence of any Google security bugs in the same database. One would assume that the only thing better than outing your competitors bugs is showing how well you fixed your own. Unless you subscribe to the ludicrous notion that somewhere software exists with zero bugs.
Testing is not about “outing” bugs as an act designed to extort fixes or embarrass your competition because let’s face it Google, you are giving the finger not to Microsoft but to Windows users when you publicize a bug that the fix is not entirely ready for.
Will this encourage speedier solutions or compromises in testing and deploying the bug fix? Won’t the compromises just lead to regression issues? The goal shifts from fix the bugs to fix the bugs in time and not in a good way.
So come on Google, it’s time to remember that with great power comes great responsibility. Don’t be that guy.
It’s time to reexamine the paradigm for Project Zero and realize that every time Google publicizes one of these bugs they become part of the problem, not the solution.
Comic cover art and quote with thanks to the incredible Marvel Comics
As a tester and a consumer, I may not be pleased to learn that Microsoft hasn’t patched these issues yet but I’m seriously <redacted> at Google over this. There are lessons here for Google and Microsoft that clearly need learning.
Google should continue to test for security issues but if you are going to threaten others with a ticking clock shouldn’t the time frame match a real estimate of how long it would take to develop, test and deploy the fix? I doubt that all bug fixes at Google receive the same arbitrary timeframe.
How about you? Do you think Google needs to dial it back for the sake of the consumer?