Seems that Microsoft isn’t happy with Google’s Security Team, Project-Zero announcing the presence of so-called ‘0-day’ vulnerabilities that it discovers in the wild.
This week, however, Microsoft Security Response Center Senior Director Chris Betz noted in a blog post that his team does not take that stance that full, public disclosure is not needed to push software vendors to fix vulnerabilities and help customers protect themselves. “It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix’ before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack.”,
With many resources available on the internet already offering full-disclosure of 0-day vulnerabilities, is this just Microsoft posturing against Google? or do they have a point? Should notification of 0-day vulnerabilities be provided behind closed-doors rather than for public dissemination?