Under-fire Google tweaks bug disclosure policy

News by Doug Drinkwater

After stinging criticism from Microsoft and others over how and when it reported zero-day flaws, Google has changed its vulnerability disclosure policy.

In a blog post published late on Friday, Google Security and Project Zero, the search giant's controversial security research team, confirmed that the firm would collectively hold-off disclosing zero-day vulnerabilities until 90 days had passed.

“Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well,” reads the blog post, which was written by members of both teams. “We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.

“We've chosen a middle-of-the-road deadline timeline and feel it's reasonably calibrated for the current state of the industry.”

Although noting that the US CERT has previously advised a disclosure policy of only 45 days, Google said that it agreed on 90 after finding that 85 percent of the 154 bugs discovered by Project Zero have been fixed within this time-frame, with this rising to 95 percent of bugs unearthed after October 1 last year.

Adobe was the top-performer in this regard, fixing 100 percent of bugs (there were 37 in total) within the 90-day period, according to Google.

Elsewhere, the revised policy will also see Google extend the deadline to the next working day if it falls on a weekend, while it says it will grant a grace period if the vendor in question has scheduled a fix for a specific day within the next 14 days.

In addition, the Silicon Valley technology firm will pre-assign CVE (Common Vulnerabilities and Exposure) numbers to bugs that go past their deadlines before it discloses them, so to avoid confusion and help the public understand specific threats.

Despite the news, Google' security researchers did also warn that they still have the power to bring these deadlines forward or back at any time.

“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances,” the blog post continues. “We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.

“Putting everything together, we believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline. Finally, we'd like to call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our data and reasoning compelling. We're excited by the early results that disclosure deadlines are delivering -- and with the help of the broader community, we can achieve even more.”

Chris Boyd, malware intelligence analyst at Malwarebytes, told SCMagazineUK.com that vulnerabilities often vary in a case-by-case basis: ‘While the 14 day grace period will potentially help to ward off exploit information going live days prior to a fix, it remains to be seen if fixed deadlines work in such a fluid and volatile field as software coding,” said Boyd. “There are so many variables at play for every security vulnerability that it boils down to taking everything on a case by case basis. That may not be hugely reassuring, but what we have at present is major corporations attempting to play by rulebooks which black hats have long since torn up and thrown in the trash.”

Meanwhile, veteran security researcher Graham Cluley said that while the news was encouraging, he still wasn't sure whose interests Google were taking into consideration.

“…I'm still concerned that Google isn't acting in the best interest of most internet users with its full disclosure policy and releasing of proof-of-concept code,” he wrote on his website. “Surely to pressure a software vendor into fixing a bug, it doesn't have to give the mechanisms for exploiting a vulnerability into the hands of those who might exploit them for malicious purposes?”

Rik Ferguson, VP of security research at Trend Micro, said in an email to SC that the 90 day time-frame is enough, and hopes vendors strive to be better still.

"90 days seems like perfectly reasonable period to work with a vendor to get a patch released for serious vulnerabilities. Most vendors, I would hope, would strive to better that if the security of their customers were at risk," he said.

"We have certainly seen plenty of examples where exploits are in the wild before vendors are even aware of the vulnerabilities. In the rare cases where a patch is more complex to implement, Google are indicating their willingness to work with the affected vendor outside those deadlines if strictly necessary. Anything that drives more secure software within a workable framework is all to the good."

Kasper Lindgaard, director of research and security, added that only hackers would have benefited from Project Zero's earlier disclosures: “I am very pleased to see that Google has decided to loosen up its rigid disclosure policy represented by Project Zero," he told SC

"Observing the reactions from the security community it is a sensible and decent thing to do. This is good news for the overall security of both companies and even for private users – in reality it was only the hackers who profited from Google's choice of indiscriminately disclosing vulnerabilities, just a few days before the vendor could release an available patch.”

Google's Project Zero team has been getting criticism in some quarters in recent months, for disclosing undiscovered zero-day vulnerabilities in Microsoft's Windows 8.1 and Apple's OS X, giving attackers more time before fixes could be issued. In a blog post issued last month, Microsoft security researcher Chris Betz said that the disclosure “feels less like principles and more like a ‘gotcha'.”

"What's right for Google is not always right for customers," Betz wrote in a blog post in January. "We urge Google to make protection of customers our collective primary goal."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews