A bug too far?
16 January 2015 | 0
It’s a bit like when someone declared some years ago that spam would be sorted by a certain date too, which has not only come and gone but is now fading into folk memory, along the chap what said it.
However, a lot of attention has been focused lately on the issue of software bugs as Google has reported three Windows vulnerabilities, having notified Microsoft under the terms of its Project Zero efforts — that is 90 days from notification to fix before going public.
In this latest case, Google went public despite Microsoft having made significant efforts to develop and distribute a fix before running into a last minute snag that left it off the usual Patch Tuesday run.
Now, I’m all for naming a shaming when it comes to flaws that should never have made it out in the first place, but is it fair to still disclose when all reasonable efforts have been made to provide a fix?
I completely agree with the view that some companies have been traditionally complacent about fixing bugs, particularly in software that is very widely available and adopted, especially in the consumer arena. But where encouragement and a high level of public attention come together, it does not always produce the results expected. One need only take the example of household name in browser plug-ins and its long running travails with a certain mobile platform to see proof of this.
In this context, one must ask what Google is trying to achieve with this effort? Is it trying to raise the bar in terms of the quality of software delivered? Or is it being opportunistic as it has discovered a handful of bugs that no one else seems to have flagged?
The question is not an easy one to answer, but the situation is one in which the caster of the first stone is not without sin.
Google has come in for much criticism lately for refusing to patch a vulnerability in Android Kitkat (4.4) that leaves potentially 60% of Android users at risk. This is hardly the mark of a company that is selflessly dedicating resources to protecting users of its software.
The fact is that software will contain bugs as long as people write it, which is for the foreseeable future.
How bugs are discovered, handled and resolved is where the differentiators emerge, and it is safe to say that all major vendors have instances where any and all of the above could have been done better.
Therefore, I would argue, it is worthwhile large vendors having some mechanism by which they can share information and even set tight constraints for resolution after notification, it is still worth retaining some flexibility in cases where all reasonable efforts for resolution are made, but some snag prevents a fix within agreed time frames. Otherwise, what is the purpose of such a system? It would risk degenerating into a points scoring exercise where the users are left exposed through no fault of their own, potentially resulting in them loosing trust in all vendors, not just the guilty party.