Project Zero publicised an, as yet, unpatched Windows vulnerability as its 90 day disclosure deadline had elapsed, IT security experts from Tenable Network Security and Positive Technologies commented below.
Gavin Millard, Technical Director at Tenable Network Security:
“Project Zero’s 90 day window to issue a fix for a discovered vulnerability has been hotly debated in the industry with some – generally the software vendors affected by the discovery, stating the time limit is too short to implement a fix, test and rollout. But for many, the 90 day window is seen to drive the right behaviour, focusing software companies to address flaws that could be used by an attacker to gain access.
“Microsoft fought hard against the 90 day disclosure window when Project Zero announced a privilege escalation bug affecting all versions of Windows last year, but with the Google team unaffected by the pressure, I find it highly doubtful that they’ll change the policy for future bugs they unearth.”
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“Responsible disclosure policy means a researcher who finds a bug will collaborate with the vendor to fix it, but it doesn’t mean they will remain silent indefinitely. The usual process is that, having reported a vulnerability, it’s up to the vendor to be proactive to fix it. If the company recognises there is a bug, it can ask for a postponement of publication of an advisory until it’s fixed. However, not all vendors will recognise the researchers claims, or might even delay the release of patches. In that case, the researcher may consider publishing the vulnerability after an announced period of time (usually 2-3 months) as an unpatched vulnerability can pose a risk to organisations. The thinking here is that drawing attention to the problem may advance a patch, as well as offering organisations the chance to implement additional security measures to offset risk.
“In this case, the vulnerability was actually found a year ago (March 2016 – CVE-2016-3216), and has already been officially patched. However, the researcher claims that the patch was ‘insufficient’. Given that warning was given with the researcher saying “This bug is subject to a 90 day disclosure deadline” the researcher has acted responsibly, but perhaps the vendor didn’t agree with the risk level of this vulnerability, so hasn’t asked for publication to be postponed.”