Google Project Zero Gives Tech Firms Longer to Fix Vulnerabilities
Google Project Zero, a team of security experts employed by the search giant with the job of hunting down zero day software vulnerabilities, has updated its vulnerability disclosure guidelines.
The updated policy adds an extra 30-day window to some security bug disclosures. Before this, Google researchers would publish details of vulnerabilities on their online bug tracker at the end of a 90-day window, or after the bug was patched.
Longer to Patch
The additional month (approximately) gives both vendors and users a bit longer to develop, share, and install the necessary patches for their software before details of the vulnerability are shared online. This is good news since the moment vulnerability details are shared online they could potentially be weaponized by attackers.
Although patches have most often been released by the point that vulnerability details are published, that still relies on users having installed the patches themselves. In some cases, this can be a time-intensive task. Google’s extra 30 days is therefore good news.
“The goal of our 2021 policy update is to make the patch adoption timeline an explicit part of our vulnerability disclosure policy,” Tim Willis of Project Zero Vendors said in a blog post describing the change. “Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption.”
Project Zero is additionally extending the extra 30-day grace period to zero day vulnerabilities that are being actively exploited against users in the wild. While the disclosure deadline is just seven days for patching, technical details will only be published 30 days after the fix—so long as the issue is fixed by developers. If not, technical details will be published immediately.
Extended to Zero Day Vulnerabilities, Too
These new rules will apply for 2021, although things could change again in the future. As the blog post notes: “Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines.”
Getting these kinds of disclosures right is a tough job, balancing the best interests of users with giving developers sufficient time to develop and release a patch. As the Project Zero team is clearly aware, it’s an area that will continue to be tweaked as cybersecurity and patching measures develop.
For now, though, you would be hard-pressed to suggest that Google’s security experts aren’t doing the right thing.