[German]Project Zero at Google is changing its policy on disclosure of found vulnerabilities. The main decision: Disclosures should be published within 90 days from 2020. But it's a test, running for one year.
Advertising
After all, Project Zero at Google is actively researching with a view to uncovering vulnerabilities in software products. In a blog post, Tim Willis writes that the team is spending a lot of time discussing and assessing the vulnerability disclosure guidelines and their consequences for users, vendors, other security researchers and the software security standards of the larger industry.
At the moment, he said, the team was very satisfied with how well the disclosure policy had worked over the last five years. There have been improvements in the speed with which providers patch serious weaknesses. Currently, 97.7% of vulnerabilities discovered are patched within the 90-day disclosure directive.
Internal and external discussions
This is a complex and often controversial topic that is often discussed both within and outside the team. The team often receives feedback regarding our current policies from vendors with whom Project Zero works closely. Sometimes it's things they want us to change, sometimes it's the way our work has positively impacted their work and the users. Discussions like these help to develop the disclosure policy. For example, following discussions with various vendors, the team introduced a 14-day grace period for disclosure in 2015.
Changes from 2020
Project Zero has recently reviewed its internal policies and disclosure policy objectives. As a result of this review, it was decided to make some changes to the vulnerability disclosure policy in 2020. For vulnerabilities reported from January 1, 2020 onwards, the disclosure policy will change:
- Vulnerabilities will by default be disclosed a full 90 days after discovery, regardless of when the issue is resolved.
- This is also the case if the vulnerability is fixed within 20 days of reporting it to the developers.
- The disclosure period also applies if the vulnerability has not been closed after the 90 days.
If there is a mutual agreement between the vendor and Project Zero, bug reports can be made publicly available before the 90 day period expires. For example, a vendor may want to synchronize the opening of our tracker report with their release notes to minimize confusion and user questions.
Advertising
Quality of Patches as a new goal
In the past it was a goal to get security fixes for know vulnerabilities faster (at the start of the project, it took in some cases six months, until a patch was available). Now that the 90 day target for patch releases is reached, the team changes it's focus. The reason for this move toward a fixes 90 days disclosure is to improve the quality of patches. In the past, patches have been released with new bugs, or the root cause for a vulnerability hasn't been addressed.
Tim Willis wrote, that finding a vulnerability and providing a patch would not raise the security of a product, until the user install this patch. This seems a reaction on poor update quality from Microsoft, Apple and other vendors during the last years.
Team Zero plans to test this policy for 12 months and then consider whether to change it in the long term. Further details can be found in the announcement from Tim Willis.
Advertising