Google Project Zero Revise 90-Day Disclosure Rules

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://www.theregister.co.uk/2020/01/07/google_project_zero/
This month, Project Zero revised its Disclosure Policy so that it will publicly reveal details of a security flaw precisely 90 days after privately disclosing the details to the relevant vendor. This is a change from the previous policy under which bugs were revealed after 90 days or when fixed, whichever came first.

As a result of the amended policy, vulnerability details will remain undisclosed for a longer period of time, giving developers enough time to fix their code, and netizens to test and install the patches, before Googlers make technical details and proof-of-concept exploits public for all to see. Project Zero will, we note, reveal vulnerability details sooner if there's mutual agreement between the affected vendor and the web goliath's team. There are also other exceptions: vendors can request an additional 14-day grace period if a vulnerability will be fixed after the 90-day deadline but before 104 days have elapsed. And a seven-day deadline still applies for vulnerabilities being actively exploited in the wild.
Click to expand...
imagine this scenario: Project Zero privately informs you that your application has a security hole in it. You spend the next two weeks fixing and testing a resolution for the flaw, and then roll out a suitable patch to your users. Folks now have the best part of 90 days to install this update and be safe before Google goes public with full details of your programming blunder. If the patch breaks during these 90 days, you still have time to address it before the Silicon Valley monster lifts the veil.

Under the old approach, Project Zero would privately tell you that your app has a security hole in it. You then spend the next two weeks fixing and testing the update, and roll out the patch to your users. Googlers immediately spot this, and make their bug report public. Your users are now in a race to update their systems before the hole is abused by miscreants using the web giant's exploit. If your patch doesn't fully work, your users are now left completely vulnerable while hackers play merry havoc with your busted code as you scramble to emit a followup update.

In either case, of course, you're racing against malware developers who are poring over your security patch, as soon as it is released, to find a way to attack unpatched users – though bear in mind, when Google goes public, it typically posts proof-of-concept exploit code, taking care of most of that effort for miscreants.
Click to expand...
 
  • Like
Reactions: silversurfer, Gandalf_The_Grey, Threadripper and 3 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Google: Android patch gap makes n-days as dangerous as zero-days
Replies
7
Views
1,205
News Archive
ForgottenSeer 97327
F
Gandalf_The_Grey
    • Like
    • +Reputation
Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
Replies
2
Views
1,516
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • Thanks
Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks
Replies
1
Views
1,513
News Archive
nicolaasjan
nicolaasjan

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top