Google’s Project Zero finally give companies a 30 days grace period to roll out patches

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
The release of patches of the recent Hafnium Exchange exploit let to a further massive wave of Exchange server exploits as non-state threat actors reverse-engineered the patches to hack servers for non-political ransomware attacks. It is very often the case that a patch is the first criminal hackers learn of an exploit, and reverse engineering the patch is often a quick and easy way to develop an exploit for those who are still to be unpatched.

It is for this reason that Google’s Project Zero has often attracted a lot of flack since they insist on releasing details of exploits within 90 days, irrespective of whether companies such as Microsoft had enough time to test and roll out a fix.

Today Project Zero announced a new policy which would give companies 30 days to roll out their patch before disclosure, as long as they have actually developed the patch within the usual allotted 90 days, making it 120 days between discovery and disclosure. In cases where companies have not yet released a patch within 90 days disclosure would be at the end of the usual 90 day period.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top