According to TechRadar, Google’s Project Zero has revealed that it will be trialling a new policy where the security team will give companies a full 90 days before disclosing issues in their systems or software. The search giant’s team of security analysts is well regarded for discovering major vulnerabilities but it has received criticism from others in the industry for its relatively fast disclosure times. The new disclosure policy aims to fix this while also holding companies more accountable for how they patch security issues.
Google’s Project Zero security team will now wait 90 days to disclose any vulnerabilities they find https://t.co/I34214G4CU
— XDA (@xdadevelopers) January 8, 2020
The focus of Project Zero has been one metric: faster patch development. Like all good responsible disclosure practices the intention is to pressurise vendors into developing patches promptly, before the bad guys discover the same vulnerability.
The latest change means that while this remains the most important metric, it’s not the only one. It’s also important that developers have time to make good patches and that users have time to apply them, before the vulnerability is weaponised in the wild.
Given Project Zero’s associations with Google, there is also a political angle to consider. As a technology vendor, Google might be accused of impartiality if vulnerabilities are arbitrarily reported, especially if the flaws are found in competitive software and applications.
I do not believe that the change will lead to vulnerabilities being open for longer. What we might see, as an indirect consequence, is a shift to more secrecy in patch release notes, as to the specifics of the security vulnerabilities which are addressed by a given patch.
The harm comes from the mismatch between the idealised premise that organisations patch immediately upon a release of a fix. In reality, this happens in a tiny fraction of organisations and most patch far slower (figures vary, but a commonly cited average is a little longer than 100 days, which matches my experience in ‘typical’ organisations).
The change will increase the work-effort required by attackers and raise the skill level necessary to successfully use the given vulnerability, which is all we (as cyber security professionals) can ever really seek to do.
Project Zero’s policy and disclosure update is a solid concession given the amount of time it can take to get a security patch fully deployed to users, even when a vendor fixes the bug quickly.
The right kind of pressure can be a good thing when it comes to vulnerability finds and fixes, and this is what Google is trying to optimize through its policy. Creating efficient patch developments, but avoiding hasty rollouts, is Project Zero’s goal, and Google is moving the industry forward with this policy by motivating developers to prioritize security.
The policy’s delayed disclosure notice is a smart move – It relieves the incentive to rush patch development into the wild, which in turn reduces the potential for poor security outcomes as a product of their research.
It’s certainly a novel update to standard coordinated vulnerability disclosure (CVD) practices, and it’ll be interesting to see how successful this policy update is throughout the year.
I think this is an excellent move by Project Zero, because once the vulnerability is patched, it does not mean that everyone is instantaneously secure. Patches work with a time lag and this has obviously been taken into consideration to best protect both the company at stake and the users.
Responsible disclosure times are a tradeoff between the scale of the vulnerability, whether it is being exploited in the wild and giving companies enough time to respond to the threat. A fixed length will most likely work for the majority of vulnerabilities and I am sure analysis of previous threats has been considered to create this mean average time. However, for this to work, Project Zero will still have to take into account that some individual patches may clearly need more time before they are made public to best ensure the safety of their users.