Google Announce's Project Zero's Full 90-Day Disclosure Policy
Google has announced that its Project Zero disclosure guidelines are changing for 2020.
Project Zero, created in 2014, is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities, the secret hackable bugs that are exploited by criminals, state-sponsored hackers and intelligence agencies.
According to a Project Zero post, the security analysts at Project Zero spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers and software security norms of the larger industry. "We're very happy with how well our disclosure policy has worked over the past five years. We've seen some big improvements to how quickly vendors patch serious vulnerabilities, and now 97.7% of our vulnerability reports are fixed within our 90 day disclosure policy," the blog says.
For vulnerabilities reported starting January 1, 2020, Project Zero is changing their Disclosure Policy: Full 90 days by default, regardless of when the bug is fixed. By making these changes, the security analysts hope that this will lead to faster patch development, thorough patch development and improved patch adoption.
In addition, details of incomplete fixes will be reported to the vendor and added to the existing report (which may already be public) and will not receive a new deadline. In 2019, Google says there was inconsistent handling of incomplete fixes. Such issues were either filed as separate vulnerabilities or added to existing reports at researcher discretion.
The security analysts say that the goal of these changes is to make attacks using zero-day exploits more costly. "We do this through the lens of offensive vulnerability research and evidence of how real attackers behave. This involves discovering and reporting a large number of security vulnerabilities, and through our experience with this work, we realized that faster patch development and patch deployment were very important and areas for industry improvement," they say.
If patches take a long time to develop and deploy, then they "quickly fall behind the curve: more bugs are introduced than vendors can fix and a herculean effort is required to get things back on track."
“Project Zero is right to make this change as public disclosures tend to set the race to create exploits for vulnerabilities which can cause bigger problems for customers," says Joseph Carson, Chief Security Scientist. "However, in my opinion, responsible disclosure should not be just based on the actual vulnerability but the actual risk, as not all vulnerabilities are equal."
"Sometimes we focus too much on the vendor rather than the customer; responsible disclosure should be prioritizing that customers are notified of a vulnerability with the intention of reducing the risks by either making the vulnerability public so they are aware that a risk exists, applying hardening to reduce the risks or applying a vendor patch," Carson says. "Difficulty to patch systems should also be taken into consideration as even with public vulnerability disclosures most systems remain unpatched for much longer even years. Responsible disclosure is too broad today and needs to really put the customer first.”