From Google's standpoint, it fully cooperated with Microsoft in patching the vulnerability that was discovered and reported by Microsoft's Offensive Security Research team on September 14.
There is no love lost between Microsoft and Google when it comes to security patches.
Discovering the exploit was only the beginning of Microsoft's work with Google as the company then chose to take the opportunity to try and dish out a backhanded lesson in dealing with vulnerability discoveries. "Chrome's relative lack of remote code execution (RCE) mitigations means the path from memory corruption bug to exploit can be a short one", wrote Jordan Rabet, member of the Microsoft Offensive Security Research team, in a blog post late on Thursday.
Recently, Microsoft found itself in the position to scold its frequent exploit nuisance finder Google, and boy did the company jump at the opportunity.
Google paid Microsoft a $7,500 bug bounty for disclosing the Chrome vulnerability, along with another $8,337 for other uncovered bugs, which the firm donated to charity.
Google patched the problem within a week in its beta versions of Chrome, but Microsoft notes that, although now fixed, the stable and public channel "remained vulnerable for almost a month". Giving the general public access to source code before regular release channels makes it significantly easier to find vulnerabilities that could be used in between when code is published to Github and the time that the final bug fix is pushed out.
"In this specific case, the stable channel of Chrome remained vulnerable for almost a month after that commit was pushed to git".
"Our strategies may differ, but we believe in collaborating across the security industry in order to help protect customers", Microsoft concludes.
Google's Project Zero security team has been keeping Microsoft busy finding exploits in Windows and Edge, and on occasion announcing them publicly before Microsoft has patches available.