Monday, July 31, 2006

Responsible Disclosure (continued)

(Re-edited for the benefit of aggregator readers) On the 15th of this month, I posted about "responsible disclosure" and Microsoft's PR practices. Right in the middle of it, I planted a troll about MS's intability to keep up with the "month of browser bugs".

Two reader responses later and it appeared that we were headed deep into religious war territory. While asking why MS can't keep up in the patching process may have been a bit of a troll, it is a legitimate question. (Hint: pointing out that other browsers' patches have contained problems is legitimate only if MS has never released buggy patches for IE. Otherwise, it's poor logic and tends to make the discussion smell of dead horse.)

I will attempt to answer the question here though.

The answer doesn't lie within the politics of the vulnerability researchers or the "evil intentions" of any of the parties involved. It actually lies within "the process" and the previous coding decisions (e.g., the browser is part of the OS) at MS. Because the code base is much, much larger and because changes within browser code will effect "things" outside of the browser, the distance between "start" and "finish" for MS patches is much longer.

Other browsers have more coders, less code, and fewer OS hooks. Thus the patching process occurs quicker. Simple. It's futile for MS to attempt to keep up and counterproductive to make allusions to the motives of vulnerability researchers. The responsible disclosure "discussion" should have gone away years ago.

I hereby apologize to IronYuppie for troll-baiting. I do tend to like saying "the emporer has no clothes" when it comes to the marketing and public relations departments at MS. Neither one (IMHO) does the company justice in the long run.