May 27, 2017

Google backpedals on its arbitrary vulnerability disclosure policy

google logo(LiveHacking.Com) – Google has been under fire in the last few weeks for arbitrarily disclosing zero-day vulnerabilities which give hackers the information they need to attack susceptible systems. When Google makes these disclosures it knows full well that it is risking the security and privacy of potentially millions of people.

The positive side of these disclosures is that Google guarantees that vendors, like Microsoft, Apple and Adobe, are informed of zero-day flaws and given enough time to patch those flaws before a disclosure is made. By informing the vendor and yet by giving them a period of time to fix the issue, Google is trying to ensure that both “the need of the public to be informed of security vulnerabilities” and the “vendors’ need for time to respond effectively” are balanced.

However until now Google’s 90 day deadline has been completely arbitrary without any consideration of real-world circumstances. The arbitrary nature of the 90 day rule was highlighted recently when Google published the details of a bug in Windows which Microsoft was scheduled to patch on January 13th, but the 90 days passed on January 11th, so Google just published the details anyway. In this way Google was sticking to the letter of the law rather than the spirit of it.

But now it seems that Google has seen the error of its ways and updated its disclosure policy. From now on:

  • Weekends and holidays. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
  • Grace period. Google now has a 14-day grace period. If a 90-day deadline will expire but a vendor lets Google know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
  • Assignment of CVEs. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, Google will ensure that a CVE has been pre-assigned.

While Microsoft welcomes the changes, it would much rather see Google work more closely with software vendors to apply patches. “When finders release proof-of-concept exploit code, or other information publicly before a solution is in place, the risk of attacks against customers goes up,” Microsoft’s Chris Betz told The Register in an emailed statement. “While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies.”

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks