Re: Sorry, but Google were uttely wrong.
Sigh, we've done this one before.
Yes, if only the entire IT security community hadn't had this whole "responsible disclosure" argument ad nauseum ten years ago, across all the prominent conferences and mailing lists and other forums... Oh, wait, we did.
Well, we shouldn't be surprised that the non-experts are once again stumbling blindly over the same territory, September being eternal and all that.
Personally, I'm firmly on Google's side in this case (and I'm no Google fan). I remember all too well the days before responsible disclosure became the norm, when firms would sit for years on known vulnerabilities while exploits circulated among the txtfile community. Responsible disclosure was what got Microsoft (and a great many other firms) off its collective ass in the first place; it's not a coincidence that Bill Gates' "Trustworthy Computing" memo came out a few months after RFPolicy started the rush to formalize disclosure policies.
And responsible disclosure works because it's a carrot and a stick. The carrot is refraining from publishing exploits immediately; the stick is the threat to publish eventually. They only work when they're imposed by researchers, not the affected vendors. Sure, Microsoft's free to push its own disclosure policy1, but they'll have to live with the fact that they can't impose it on researchers, and that not everyone will agree that their way is the best.
The MS Trustworthy Computing initiative and the security groups that have come out of it are a mixed bag. Some of it is, in fact, excellent. Other bits are not. Their handling of reported vulnerabilities is, in my opinion, better than the industry average; but it's not so good that researchers should feel compelled to agree to Microsoft's terms.
1Though they might have done so a bit less ham-fistedly. Like, say, publishing it as HTML rather than as a fucking Word document. The late, great Rich Stevens once rightly excoriated Microsoft for pretending that everyone loves its stupid proprietary document format, but they'll never acknowledge that. It'd also have been good if they'd drafted something a little earlier than 2010.