Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea

www.theregister.co.uk | 1/7/2020 | Staff
ajoy26ajoy26 (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2020/01/07/shutterstock_626435660.jpg

Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google's bug-hunting unit Project Zero has decided to ease up on those racing to patch their flawed products.

This month, Project Zero revised its Disclosure Policy so that it will publicly reveal details of a security flaw precisely 90 days after privately disclosing the details to the relevant vendor. This is a change from the previous policy under which bugs were revealed after 90 days or when fixed, whichever came first.

Result - Policy - Vulnerability - Details - Period

As a result of the amended policy, vulnerability details will remain undisclosed for a longer period of time, giving developers enough time to fix their code, and netizens to test and install the patches, before Googlers make technical details and proof-of-concept exploits public for all to see. Project Zero will, we note, reveal vulnerability details sooner if there's mutual agreement between the affected vendor and the web goliath's team.

There are also other exceptions: vendors can request an additional 14-day grace period if a vulnerability will be fixed after the 90-day deadline but before 104 days have elapsed. And a seven-day deadline still applies for vulnerabilities being actively exploited in the wild.

Scenario - Project - Zero - Application - Security

So, imagine this scenario: Project Zero privately informs you that your application has a security hole in it. You spend the next two weeks fixing and testing a resolution for the flaw, and then roll out a suitable patch to your users. Folks now have the best part of 90 days to install this update and be safe before Google goes public with full details of your programming blunder. If the patch breaks during these 90 days, you still have time to address it before the Silicon Valley monster lifts the veil.

Under the old approach, Project Zero...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!