Google Blinks on Project Zero Security Disclosure
Common sense prevails as Google relaxes its 90-day disclosure policy for zero-day security vulnerabilities.
Google's corporate mantra has long been "Don't be Evil." However, some in the security community may have taken issue with Google's policy on disclosing zero-day security vulnerabilities, finding it inflexible if not evil.
Google's zero-day disclosures came from its Project Zero research effort, which came to light in July of 2014. Project Zero's policy stated that it would publicly disclose any security vulnerabilities it found 90 days after making an initial report to impacted vendors. The policy has created friction with multiple vendors, including Microsoft.
Google has disclosed multiple zero-day issues with Microsoft technologies so far in 2015. In one case, Google publicly disclosed a zero-day flaw on Jan. 11 that was patched two days later as part of Microsoft's regularly scheduled January Patch Tuesday update.
That two-day gap, between Google Project Zero's disclosure and the regular Microsoft update schedule, illustrates how rigid Google has been with sticking to a 90-day disclosure period.
Google Tweaks Disclosure Policy
Now Google is loosening up, but just a bit.
Under a new policy announced last week, Google will relax its 90-day policy in selected cases. The most obvious extension is if a 90-day deadline falls on a holiday or a weekend, Google will move the date to the next work day.
More importantly, the 90-day disclosure period can be extended to 104 days with a new 14-day grace period.
"If a 90-day deadline will expire, but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch," Google stated.
Thus in a case like the Jan. 11 disclosure that was patched by Microsoft on Jan. 13, there would be no early zero-day disclosure of the issue if Microsoft informed Google.
Some have also found it confusing to directly correlate Google's disclosures with vendor patches and vulnerabilities. To that end, Google will now assign a CVE (Common Vulnerabilities and Exposures) identifier on the first public mention of a vulnerability, which will allow the vulnerability to be properly tracked against exploits and vendor patches.
Timely Vendor Patches
Although Google has generated some headlines due to zero-days that were disclosed prior to a vendor patch, Google claims that most vendors have patched inside of the 90-day time limit. In particular, Google noted that the Adobe Flash team had fixed all of the 37 vulnerabilities that Project Zero submitted to them inside 90 days.
"More generally, of 154 Project Zero bugs fixed so far, 85 percent were fixed within 90 days," Google stated. "Restrict this to the 73 issues filed and fixed after Oct 1st, 2014, and 95 percent were fixed within 90 days."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.