Google’s Project Zero on Thursday said it won’t share technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline set by Google.
In a public post, Project Zero said the 30-day period should help drive user patch adoption: “We're changing our disclosure policy to refocus on reducing the time it takes for vulnerabilities to get fixed, improving the current industry benchmarks on disclosure timeframes, as well as changing when we release technical details,” Google wrote.
Security researchers applauded Google for putting substantial effort into trying to improve vulnerability disclosure initiatives.
“Too many other vendors and enterprise infosec organizations take an unacceptable ‘head in the sand’ approach, just hoping vulnerabilities will go away,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber. “While it’s always ideal to have maximum transparency, real-world security is never that easy. We wish the cyber security industry would start treating vulnerabilities with the urgency Google assumes in its new Project Zero disclosure policies.”
Bar-Dayan added that vulnerability remediation requires a continual balancing act between available resources and business priorities, security and IT objectives, and understanding the potential business impact and risk of a specific vulnerability to a business.
“The time between vulnerability disclosure and vulnerability exploit is continuously shrinking, and bad actors aren’t going to wait for good actors to get their acts together,” Bar-Dayan said. “Enterprise security and IT organizations need to follow Google’s lead, get their own cyber hygiene house in order and get fixes done.”
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, added that public disclosures tend to set the stage to create exploits for vulnerabilities which can cause larger problems for customers. However, he said responsible disclosure should not be just based on the actual vulnerability, but the actual risk, as not all vulnerabilities are equal.
“Sometimes we focus too much on the vendor, rather than the customer,” Carson said. “Responsible disclosure should prioritize that customers are notified of a vulnerability with the purpose of reducing the risks by either making the vulnerability public so they are aware that a risk exists, applying hardening to reduce the risks, or applying a vendor patch. Difficult-to-patch systems should also be taken into consideration, as even with public vulnerability disclosures, most systems remain unpatched for much longer, even years.”