Security Experts Laud Project Zero’s Push for Greater Transparency, Faster Patches
Google is trying out a new approach to publicizing flaws found by its in-house bug hunters aimed at more rapidly getting patches into users’ hands.
See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]
Under a trial policy effective immediately, Google’s Project Zero team will publish a general alert to the public within seven days of any vulnerability notification it makes to another company. The alert will name the vulnerable product, detail when the vendor was notified and when Google intends release full details of the flaw publicly, which typically occurs 90 days after Google makes its notification.
This trial policy, dubbed “Reporting Transparency,” aims to shrink the upstream patch gap, the period in which a fix is available “but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product,” said Tim Willis, head of Google Project Zero, in a blog post. The Google unit, active for more than a decade, finds and reports software vulnerabilities to vendors and open-source project teams.
Google reports seeing significant delays when multiple vendors are involved, such as chipset makers who develop patched drivers and send them to OEMs. “For the end user, a vulnerability isn’t fixed when a patch is released from Vendor A to Vendor B,” said Willis. “It’s only fixed when they download the update and install it on their device.”
Google’s trial approach could also make it easier to track the length of time from when a company receiving a Project Zero notification and its downstream dependents release the patch.
“There is a significant problem with the patch gap right now, and we don’t really have solid metrics on time from bug to fix for a user, which we need,” said Daniel Cuthbert, a long-time cybersecurity researcher who co-chairs the U.K. government’s Cyber Security Advisory Board.
Google has adjusted its disclosure policies several times since launching Project Zero in 2014. At first, it gave vendors a 90-day coordinated disclosure deadline before it automatically published full details about a vulnerability, without exception.
Google in 2021 adopted a 90+30 policy, offering more carrot and less stick. If a vendor issues a patch anytime in that 90-day period, Project Zero waits 30 days before making details of the flaw public, to give end users time to patch.
Google has its coordinated vulnerability disclosure approach; other companies have theirs.
Cybersecurity firm Rapid7’s CVD policy begins with private disclosure to a vendor, notifying the U.S. CERT Coordination Center 15 days later and giving vendors 60 days to fix a patch, potentially with a 30-day extension before publicly publishing details. If a vulnerability is already being exploited in the wild, Rapid7 typically publishes full details within 72 hours.
Exceptions apply. In June, Rapid7 revealed that over the prior 13 months, it worked with printer giant Brother, together with Japan’s JPCERT/CC, to coordinate the disclosure of vulnerabilities in 748 models of printers across five vendors.
Raj Samani, chief scientist at Rapid7, described Google’s transparency initiative as being “absolutely superb,” not least for encouraging debate amidst a rising tide of zero-day vulnerabilities being discovered in the wild. But for now, he doesn’t expect to change Rapid7’s disclosure methodology, primarily because it seems to be working well.
“It is a Pandora’s Box, but we do get a lot of vendors that are, in good faith, trying to develop patches and remediation paths and so forth,” he said. “If we get companies that are confrontational regarding disclosing a vulnerability they do not intend to remediate with any haste, and we’ve been dragged publicly on this on a couple of occasions, we’re still happy to publish it, regardless of what the other party says,” Samani said. “We’re not afraid to stand our ground, but we will do everything we can to come to a satisfactory approach, whereby there is remediation in place by the vendor before the issue is disclosed.”
“‘Responsible disclosure’ is a carefully curated dance,” Cuthbert said.
