Depending on who you ask, Google’s Project Zero is either the thing that’s going to singlehandedly save the internet, or the bane of many companies’ existence. It’s easy to see both sides of the argument.
On one hand, by uncovering previously undiscovered bugs in all manner of software and handing that information over to the authors, Google is undeniably performing a valued public service. The problem has never been with the “carrot” side of the equation, always with the stick.
The stick is this: Google gives each company 90 days in which to address the bug. If they take no action during that time, then Google will announce the existence of the bug to the world, which of course, means that hackers everywhere immediately have access to a new exploit.
This approach often accomplishes what contacting the vendor privately does not. Once the bug becomes common knowledge, the company in question is essentially forced to fix the problem, thus making the internet safer.
It should be noted that Google does allow exemptions to the 90-day rule. If a company is hard at work on a fix and needs more time, Google has been known to delay their announcement. In a similar vein, if a bug is simply catastrophic in scope and scale, the company has been known to make the announcement to help deploy resources of multiple companies toward addressing the issue.
More than 90 days ago, the Project Zero team discovered a pair of security flaws in Microsoft products. One in their Edge browser, and the other in the Windows 10 OS. One of the two got fixed. The other did not, and Google called them out for it.
Needless to say, Microsoft is not pleased, and they have hit Google back for such behavior in the past. They scored a PR victory last year when Microsoft engineers discovered a flaw in Google’s Chrome browser, and contacted the company privately so they could fix the issue and then bragged about their more responsible approach after the fact.
It will be interesting to see what Microsoft does in this instance.