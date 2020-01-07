Loading...

Project Zero is generally considered for finding major vulnerabilities, but is criticized by peers because of their relatively fast disclosure times. For 2020, the security team is testing a new policy giving a full 90 days before problems are revealed.

Google is “happy with how well (its) disclosure policies have worked over the past five years” and notes that 97.7% of vulnerability reports have been resolved within the current 90-day disclosure policy. For comparison: for some problems in 2014 it took six or more months to patch.

After revising the “complex and often controversial” disclosure policy, there will be a change in 2020. Sensitive companies will get a “full 90 days by default, regardless of when the bug is resolved.” If there is agreement between a seller and Project Zero, bug reports can be published earlier.

Repair a bug in 20 days? We will release all details on day 90.

Repair a bug in 90 days? We will release all details on day 90.

Instead of just aiming for “faster patch development”, Project Zero now wants to encourage thorough patches and improved acceptance within those 90 days.

Faster patch development (existing): we want suppliers to quickly develop patches and have processes to get them into the hands of end users. We will continue this urgently. In-depth patch development (new): We have seen too many times that vendors reported patch vulnerabilities by “crossing the cracks” and not considering variants or tackling the root cause of a vulnerability. One concern here is that our policy goal of “faster patch development” can aggravate this problem, making it far too easy for attackers to breathe new life into their exploits and persevere with little fuss. Improved patch acceptance (new): end-user security does not improve when a bug is found and does not improve when a bug is resolved. It improves as soon as the end user is aware of the bug and usually patches their device. That is why it is important to improve timely patch acceptance to ensure that users actually benefit from the bug being fixed.

This new policy will be tested for 12 months before Google decides whether it will be changed in the long term.

FTC: we use revenue-earning auto affiliate links. More.

See 9to5Google on YouTube for more news:

(Embed) https://www.youtube.com/watch?v=yAZIf6nIYts (/ embed)