NPC Seal
We use cookies to ensure you get the best browsing experience. By continued use, you agree to our privacy policy and accept our use of such cookies. For further information, click FIND OUT MORE.
I AGREE FIND OUT MORE
x
advertisement
Filtered by: Scitech
SciTech

Google relaxes bug disclosure rules following row with Microsoft


After a row with Microsoft, Google has adjusted its policies of disclosing software vulnerabilities to the companies concerned, to give them more leeway in rolling out fixes for their products.

This was disclosed in a blog post by Google Project Zero's Chris Evans and and Ben Hawkes, along with Google Security's Heather Adkins, Matt Moore and Michal Zalewski, and Google Security vice president Gerhard Eschelbeck.

Heading the list of adjustments is a 14-day grace period if Google is informed before the deadline that a patch is scheduled within 14 days.

"Putting everything together, we believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline," they said.

Last December, Google's Project Zero disclosed some bugs in Microsoft's flagship operating system Windows before Microsoft could patch them.

In January, Microsoft said it had asked Google to work with it to protect customers by withholding details until it released a fix.

But Project Zero said it adheres to a 90-day disclosure deadline, which it is now applying for the rest of Google.

Under such a policy, it will notify vendors of vulnerabilities immediately, and "share" the details with the defensive community after 90 days - or sooner if the vendor releases a fix.

"We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry," it said.

Relaxed policy

Under the new policies:

- Weekends and holidays: If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
- 14-day Grace Period: If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
- Assignment of CVEs: To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we’ll ensure that a CVE has been pre-assigned.
 
But Google Project Zero said it reserves the right to bring deadlines forwards or backwards based on extreme circumstances.

"We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy," it said.

Project zero deadlines work

Project Zero noted Adobe fixed 37 Project Zero vulnerabilities (100 percent) within the 90-day deadline.

Of 154 Project Zero bugs fixed so far, 85 percent were fixed within 90 days, it added.

"Deadlines appear to be working to improve patch times and end user security -- especially when enforced consistently," it said. — Joel Locsin/LBG, GMA News
Tags: google, microsoft
More Videos
Most Popular