
Microsoft has called for better co-ordination over software bug disclosures, less than a week after it announced plans to end the pre-release of Patch Tuesday cybersecurity bulletins to the public.
The move follows a decision by Google to publicly disclose an unpatched bug in Windows 8.1, after Microsoft failed to address the problem within a standard three month window.
Chris Betz, senior director of the Microsoft Security Response Center (MSRC), claimed the disclosure came "two days before our planned fix on our well known and coordinated Patch Tuesday cadence", adding that they had requested the firm not release the information.
"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result," he said.
"What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
The timing of public disclosures is a contentious issue in cybersecurity, with some such as Betz arguing that a fix should be issued before the public are informed, thus minimising the risk that hackers will exploit the problem.
However others argue that this argument provides a fig leaf which allows firms to continuously put off patching, the greetings card firm Moonpig’s alleged 17-month delay in fixing an API flaw being among recent examples.
Betz’s comments follow considerable backlash over Microsoft’s decision to limit pre-release security alerts of the firm’s regular Patch Tuesday updates to premium customers, described by security firm Rapid7 as "an assault on IT and IT security teams".
Microsoft defended the decision, claiming that the majority of its customers no longer paid much attention to Patch Tuesday alerts and arguing tailored cybersecurity advice was now more appropriate.
Google has yet to respond to requests for comment.