The zero-day flaw research group has revised its disclosure of the technical details of vulnerabilities in the hope of speeding up the release & adoption of fixes.
Google Project Zero will now give organisations a 30-day grace period to patch zero-day flaws it discovers in a new disclosure policy revealed this week, aimed at speeding up the time it takes for patches to be adopted.
Known for discovering a number of high-profile zero days—in Google’s own products as well as those found in rival Apple’s software—Project Zero in 2020 began revealing the technical details of flaws its researchers discovered 90 days after the initial vulnerability report.
However, now research group is changing this tactic slightly, saying it will delay disclosure of the technical details of the vulnerability until 30 days after a patch is issued if that patch is created within the 90-day period, according to a blog post by Project Zero’s Tim Willis posted Thur.
“Vendors will now have 90 days for patch development, & an additional 30 days for patch adoption,” he wrote.
Moving to this so-called “90+30 model” will allow researchers & the industry as a whole to “decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs & the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” Willis explained.
Details of Vulnerabilities
However, technical details of vulnerabilities that remained unpatched during the 90-day period after Project Zero discovers them still will be disclosed immediately after that grace period is up, states the post.
Project Zero also is applying a similar policy to in-the-wild exploits, which currently are disclosed–along with technical details–seven days after they are identified.
Under the new disclosure timeline, if a patch is released during the seven-day notification period, researchers will not release technical details until 30 days later, states the post. Moreover, vendors whose products are affected by the vulnerability can ask for a 3-day grace period before Project Zero reveals technical details.
Vulnerability management & patching has long been a difficult endeavor, especially for larger organisations that have trouble keeping up with every bug that comes along & affects various aspects of their IT networks.
Even with consumer-facing companies like Microsoft, Google & Apple that release patches to customers automatically via update programs, patching does not always go as smoothly as vendors wish.
Sometimes it’s because customers don’t enable automatic updates to devices, leaving them unpatched for longer than they should be; other times it’s the companies themselves who are responsible for a lag time between the discovery of a vulnerability & an available patch.
When Project Zero introduced the 90-day disclosure policy last year, it aimed to balance 3 aims — faster patch development that shortened the time between a bug report & a fix being available for users; thorough patch development that ensured each fix is correct & comprehensive; & improved patch adoption that shortened the time between a patch being released and users installing it, Willis stated.
However, the project did not see ” a significant shift in patch development timelines” that it had hoped for with its 2020 disclosure policies, he explained.
Also, vendors repeatedly raised concerns about publicly releasing technical details about vulnerabilities & exploits before most users had installed the patch, Willis outlined. “In other words, the implied timeline for patch adoption wasn’t clearly understood,” he explained.
Google hopes that the new policy will set clearer guidelines for vendors so they will patch systems faster and thus improve faster adoption time across their user base.
In fact, to help this effort along even further, Project Zero said it will shorten the 90-day disclosure deadline “in the near future” to reduce that time it takes to patch a flaw as well as speed up patch adoption “over the coming years until a steady state is reached,” Willis concluded.