Under-fire Google tweaks bug disclosure policy

After stinging criticism from Microsoft and others over how and when it reported zero-day flaws, Google has changed its vulnerability disclosure policy.

Under-fire Google tweaks bug disclosure policy
Under-fire Google tweaks bug disclosure policy

In a blog post published late on Friday, Google Security and Project Zero, the search giant's controversial security research team, confirmed that the firm would collectively hold-off disclosing zero-day vulnerabilities until 90 days had passed.

“Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well,” reads the blog post, which was written by members of both teams. “We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.

“We've chosen a middle-of-the-road deadline timeline and feel it's reasonably calibrated for the current state of the industry.”

Although noting that the US CERT has previously advised a disclosure policy of only 45 days, Google said that it agreed on 90 after finding that 85 percent of the 154 bugs discovered by Project Zero have been fixed within this time-frame, with this rising to 95 percent of bugs unearthed after October 1 last year.

Adobe was the top-performer in this regard, fixing 100 percent of bugs (there were 37 in total) within the 90-day period, according to Google.

Elsewhere, the revised policy will also see Google extend the deadline to the next working day if it falls on a weekend, while it says it will grant a grace period if the vendor in question has scheduled a fix for a specific day within the next 14 days.

In addition, the Silicon Valley technology firm will pre-assign CVE (Common Vulnerabilities and Exposure) numbers to bugs that go past their deadlines before it discloses them, so to avoid confusion and help the public understand specific threats.

Despite the news, Google' security researchers did also warn that they still have the power to bring these deadlines forward or back at any time.

“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances,” the blog post continues. “We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.

“Putting everything together, we believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline. Finally, we'd like to call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our data and reasoning compelling. We're excited by the early results that disclosure deadlines are delivering -- and with the help of the broader community, we can achieve even more.”

Chris Boyd, malware intelligence analyst at Malwarebytes, told SCMagazineUK.com that vulnerabilities often vary in a case-by-case basis: ‘While the 14 day grace period will potentially help to ward off exploit information going live days prior to a fix, it remains to be seen if fixed deadlines work in such a fluid and volatile field as software coding,” said Boyd. “There are so many variables at play for every security vulnerability that it boils down to taking everything on a case by case basis. That may not be hugely reassuring, but what we have at present is major corporations attempting to play by rulebooks which black hats have long since torn up and thrown in the trash.”

Page 1 of 2