Google security team has recently announced changes in their vulnerability disclosure policy after facing flak in the past from other big giant companies like the Microsoft. Project Zero, the security research team of Google recently disclosed a zero-day vulnerability in Microsoft’s Windows 8.1 and Apple’s OS X operating systems which created lot of arguments between the giants as the issues were not yet patched before they were made public.
Many thought that it could have given attackers a chance to go ahead with their mischievous activities before Microsoft and Apple could fix the issue.
On the other hand Google took the reference of disclosure policy of Carnegie-Mellon CERT, Yahoo, and Tipping Point’s Zero Day Initiative to explain their point. Google Security Team said that these deadline policies of vulnerability disclosure for vendors “improve end-user security by getting security patches to users faster,”.
Google’s Project Zero team mentioned at the blog,
“Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to users faster.To see how things are going, we crunched some data on Project Zero’s disclosures to date. For example, the Adobe Flash team probably has the largest install base and a number of build combinations of any of the products we’ve researched so far. To date, they have fixed 37 Project Zero vulnerabilities (or 100%) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85% were fixed within 90 days. Restrict this to the 73 issues filed and fixed after Oct 1st, 2014, and 95% were fixed within 90 days.”
Google said that it is now making changes in the 90 days deadline. These are as follows:
- Now vendors can ask for 14 days more grace period before the disclosure in case if there are working on the fix. Now the unpatched issue will only be disclosed in the public after the deadline is missed significantly.
- Now if the expiry date of the deadline falls on any weekend or US holiday then it would move to next business working day.
- Bugs that go past the deadline will get a Common Vulnerabilities and Exposures (CVE) identifier through MITRE before disclosing it to the public. This is now the responsibility of Project Team in order to avoid the confusion.
In the end Google mentioned that they will treat all vendors equally. Even Chrome and Android, a Google product, are subjected to follow the same deadline policy as mentioned by Project Zero. With these efforts Google looks to ensure that the industry response time to the security bugs will be improved and timely action can be taken against threats.