Google's Project Zero is testing new vulnerability disclosure procedures
The vulnerability-finding Project Zero has found Google on the end of both criticism and praise, but there has long been concern about the policy of being very quick to reveal details of vulnerabilities that have been discovered.
Previously Project Zero has given software developers a 90-day window of opportunity to fix bugs before it goes public. Details of vulnerabilities would also be published as soon as a fix was released. For 2020, Google is trying something new. The company will wait a full 90 days before disclosing a vulnerability, regardless of when the bug is fixed.
For some developers and security experts, the idea of publishing details of a vulnerability as soon as a fix has been produced was thought to be a bad idea. After all, just because a patch has been released, does not mean that everyone has installed it.
For the next year, Google says it will be trialing the new policy. The company may decide to keep the new way of working, or it may revert back to how things were.
In a blog post about the change, Google explains:
For vulnerabilities reported starting January 1, 2020, we are changing our Disclosure Policy: Full 90 days by default, regardless of when the bug is fixed.
Fix a bug in 20 days? We will release all details on Day 90.
Fix a bug in 90 days? We will release all details on Day 90.
If there is mutual agreement between the vendor and Project Zero, bug reports can be opened to the public before 90 days elapse. For example, a vendor wants to synchronize the opening of our tracker report with their release notes to minimize user confusion and questions.
The company goes on to explain the thinking behind the change: "We want to make attacks using zero-day exploits more costly. We do this through the lens of offensive vulnerability research and evidence of how real attackers behave. This involves discovering and reporting a large number of security vulnerabilities, and through our experience with this work, we realised that faster patch development and patch deployment were very important and areas for industry improvement".
Google also acknowledges that there have been problems with its previous approach, saying:
End user security doesn't improve when a bug is found, and it doesn't improve when a bug is fixed. It improves once the end user is aware of the bug and typically patches their device. To this end, improving timely patch adoption is important to ensure that users are actually acquiring the benefit from the bug being fixed.