Software makers should fix "critical" vulnerabilities within two months, and researchers should demand a patch deadline for any flaw they submit, according to Google.
In a Tuesday blog post co-authored by seven Google researchers and engineers, the internet giant called on vendors and bug hunters to adopt accepted standards for handling the submission and fixing of vulnerabilities.
The authors said creating such standards is a priority because of "increasing instances" of attacks leveraging unpatched vulnerabilities that previously had been reported to the vendor.
"Accordingly, we believe that responsible disclosure is a two-way street," the authors wrote. "Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software."
Researchers should demand that software makers move up the deadline even earlier if there "exists evidence that black hats already have knowledge of the bug," according to Google's proposal. And if the vendor is unable to meet the agreed-upon deadline or declines to address the issue at all, researchers can respond by publishing an analysis of the flaw and offering suggested workarounds.
"We of course expect to be held to the same standards ourselves," the authors wrote. "We recognize that we've handled bug reports in the past where we've been unable to meet reasonable publication deadlines — due to unexpected dependencies, code complexity, or even simple mix-ups. In other instances, we've simply disagreed with a researcher on the scope or severity of a bug. In all these above cases, we've been happy for publication to proceed, and grateful for the heads-up."
Chenxi Wang, an analyst at Forrester Research, agreed that the industry must formulate a standard for responding to vulnerabilities, particularly those that are remotely exploitable.
"There needs to be because there are certain vulnerabilities that are critical that if you don't patch them, it becomes very detrimental to customers who have this software," she told SCMagazineUS.com on Wednesday. "The industry can decide how long [the deadline should be]...but the shorter you make it, the better. The exploits are coming out faster and faster."
Wang, however, said that a missed deadline or a failure to respond should not grant the researcher the right to publish a full description of the issue. She said there are ways to publicly draw attention to the bug without revealing specifics.
The blog entry's writers included Tavis Ormandy, a Swiss Google employee who bore criticism last month when he posted details surrounding a Windows zero-day vulnerability to the Full Disclosure mailing list. Ormandy had notified Microsoft about the flaw but decided to take it public five days later when he was not satisfied with Microsoft's timeline for a fix.
Some accused Ormandy of following irresponsible disclosure practices, particularly only giving Microsoft five days to issue a patch. But Ormandy, in a tweet defending his actions, said: "Those five days were spent trying to negotiate a fix within 60 days."
A Microsoft spokeswoman said the company would not be able to comment on Google's proposed guidelines until Thursday.
"We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts," the Google blog post said. "Creating pressure toward more reasonably timed fixes will result in smaller windows of opportunity for black hats to abuse vulnerabilities. In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the internet."
Also on Tuesday, Google announced that it has increased the cash awards distributed under its incentive program, designed to encourage researchers to report bugs they find in Chromium, the open-source framework on which the Chrome web browser is based. The maximum reward for a "particularly severe" vulnerability is now $3,133.70, up from $1,337.
The move follows Mozilla's announcement Thursday that it was upping its bounty payment from $500 to $3,000 per eligible bug.
"A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," wrote Lucas Adamski, director of security engineering at Mozilla.
Most software makers, however, have not followed Google and Mozilla's lead. Microsoft, for instance, does not offer cash prizes for vulnerability disclosures.
Microsoft officials have told SCMagazineUS.com that the company stands by its policy to only reward bug finders with name recognition, not cash.
