The debate over disclosure deadlines is not likely to subside any time soon. When zero-day bug information is released publicly, end users are, no doubt, left at risk. The question, though, is whether they are at more or less risk as a result of a bug that is made public before a patch has been issued. Does pushing out a public vulnerability disclosure embarrass the software vendor to act?
Whether Microsoft will be able to keep pace in 2015 with the volume of disclosure deadlines it faces from security researchers will be interesting to watch. HP ZDI has a public listing of its upcoming disclosure deadlines, and Microsoft is on the list with multiple upcoming deadlines, the first being Feb. 2. Will Microsoft patch in time? Only time will tell.