Google Shifts to 90-Day Bug Disclosures by Default
Google has tweaked its Project Zero disclosure policy in a bid to drive more thorough patch development and improved adoption.
The new direction for 2020 centers around one major change: from January 1 this year the firm will implement a full 90-day disclosure policy regardless of when a vulnerability is fixed by a vendor. In the past, the relevant researchers could decide whether disclosure came at the end of the 90-day period or when a bug was fixed.
Although the rationale for the previous policy was to speed patch development by affected vendors, Google now also wants to focus on additional goals, according to Project Zero manager, Tim Willis.
With 97.7% of issues identified by Project Zero now fixed within the deadline, thoughts moved to improving the underlying principles of simplicity, fairness and consistency, he said.
With that in mind, Google not only wants to continue pursuing faster patch development but also now to improving the thoroughness of patches.
“Too many times, we've seen vendors patch reported vulnerabilities by ‘papering over the cracks’ and not considering variants or addressing the root cause of a vulnerability,” explained Willis. “One concern here is that our policy goal of ‘faster patch development’ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss.”
Providing a full 90-day window means vendors will therefore have more time to perform root cause and variant analysis.
“We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to their exploits and revive their zero-day exploits,” said Willis.
Google’s second goal for 2020 is to improve adoption of any patches that arise from Project Zero research.
“End user security doesn't improve when a bug is found, and it doesn't improve when a bug is fixed. It improves once the end user is aware of the bug and typically patches their device,” argued Willis.
“To this end, improving timely patch adoption is important to ensure that users are actually acquiring the benefit from the bug being fixed.”
Once again, the 90-day time frame should provide more opportunity and incentive for vendors to encourage installation of their fixes by a larger user population.
Google is also betting that leveling the playing field with a mandatory 90-day window will encourage vendors to work more closely with its researchers on bigger problems.
“We hope this experiment will encourage vendors to be transparent with us, to share more data, build trust and improve collaboration,” Willis concluded.
Source: Information Security Magazine