Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Project Zero Updates Vulnerability Disclosure Policy

Google’s Project Zero has updated its vulnerability disclosure policy to keep bug reports closed for 90 days, regardless of whether a patch is out before the deadline or not. 

Google’s Project Zero has updated its vulnerability disclosure policy to keep bug reports closed for 90 days, regardless of whether a patch is out before the deadline or not. 

The new policy has entered into effect on January 1, 2020, and will be used for 12 months, after which Project Zero will assess its impact and decide whether to keep it unchanged or update it.

Before, vendors had the same 90 days at their disposal to address reported vulnerabilities in their software, but the bug reports would either become public when patches were released, or after 90 days, whichever was earliest. 

Based on the new policy, bug reports won’t be opened to the public for 90 days after submission, even if a patch is released before the deadline. However, if there is a mutual agreement with the developer, Project Zero may open the report before the three-month period.

RelatedHow Commercial Bug Hunting Changed the Boutique Security Consultancy Landscape

The goal of this new policy, Google Project Zero’s Tim Willis notes, goes beyond just attempting to speed up patching: thorough patch development and improved patch adoption are also a focus. 

Project Zero’s security researchers will also provide vendors with details on incomplete fixes and will add the information to the existing report, regardless of whether the report is public or not. The vendor won’t receive a new deadline.

As before, vendors may also request an additional 14 days to patch the reported vulnerabilities. If a fix is released during the grace period, the tracker reports are immediately opened to the public. No additional grace periods will be granted after 104 days have passed. 

Advertisement. Scroll to continue reading.

If no grace period has been granted and if a mutual agreement with the developer does not exist, the Project Zero tracker reports will be opened automatically on Day 90.

The seven day deadline that Project Zero has in place for vulnerabilities that are being actively exploited “in the wild” remains unchanged. 

The 90-day vulnerability disclosure policy was adopted to ensure that patches are released fast, so that users are protected from potential attacks. Now, 97.7% of the vulnerability reports are addressed within the three-month timeframe.

Some of the discovered flaws, however, may already be exploited by attackers, and the security researchers introduce a sense of urgency, so that vendors would patch them as soon as possible. 

“The full 90 day window is available to perform root cause and variant analysis. We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to their exploits and revive their zero-day exploits,” Willis says. 

Joseph Carson, chief security scientist at Thycotic, told SecurityWeek in an emailed comment, “Project Zero is right to make this change as public disclosures tend to set the race to create exploits for vulnerabilities which can cause bigger problems for customers. However, in my opinion, responsible disclosure should not be just based on the actual vulnerability but the actual risk, as not all vulnerabilities are equal.”

Carson continued, “Sometimes we focus too much on the vendor rather than the customer; responsible disclosure should be prioritizing that customers are notified of a vulnerability with the intention of reducing the risks by either making the vulnerability public so they are aware that a risk exists, applying hardening to reduce the risks or applying a vendor patch. Difficulty to patch systems should also be taken into consideration as even with public vulnerability disclosures most systems remain unpatched for much longer even years. Responsible disclosure is too broad today and needs to really put the customer first.”

*Updated with additional commentary from Thycotic.

Related: Google Project Zero Discloses New Linux Kernel Flaw

Related: Google Starts Tracking Zero-Days Exploited in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.