One of the oldest debates in Information Security involves the right timing for responsibly disclosing a vulnerability.
This week, Google reignited the debate by announcing a new seven-day disclosure policy for critical vulnerabilities that are under active exploitation.
Is seven days the right amount of time?
“Seven days is pretty aggressive, but one has to keep in mind that it is only for zero-days, i.e. vulnerabilities that are already being exploited in the wild, rather than vulnerabilities that Google discovers in a product and discloses directly to the product owner,” Wolfgang Kandek, CTO of Qualys, told eSecurity Planet.
Kandek said that, based on recent events, the seven-day model is quite reasonable. For example, the last IE8 zero-day vulnerability was first reported on May 1. Microsoft acknowledged the vulnerability on May 3, had a workaround on May 8 and a complete fix on May 14 as part of its May Patch Tuesday update.
“I believe this is the type of collaboration and speed that Google is talking about,” Kandek said.
Getting Exploits out in the Open
The open source Metasploit project has become a key way for both hackers and researchers to learn more about vulnerabilities. Tod Beardsley, Metasploit engineering manager at Rapid7, told eSecurity Planet that as an open data zealot, he’s happy Google is committing to a seven-day maximum for providing details on actively exploited, unpatched vulnerabilities.
“Once an exploit is on the Internet, the cat is pretty much out of the bag, and rebagging cats is difficult, painful, and largely pointless,” Beardsley said. “It’s heartening to see an Internet giant like Google sticking to a very reasonable disclosure policy like this.”
Lamar Bailey, director of security research and development for Tripwire, is also supportive of Google’s new policy. In his view the policy is a big step forward for the industry.
“No vendor wants to expose customers to vulnerabilities in their products, so Google is really setting up a new SLA for themselves and raising the bar for the industry as a whole,” he said.
Bailey added that given the new policy, it will be interesting to see how Google responds to critical vulnerabilities that take more than seven days to mitigate.
Zachary Julian, senior security analyst at Stach & Liu, told eSecurity Planetthat releasing a security patch within a week isn’t always possible, but that doesn’t mean Google’s new policy is a bad thing.
“System administrators and end-users should be informed of the risks and presented with sufficient information to make informed decisions to mitigate critical issues and protect their systems,” Julian said. “This is especially true for zero-day vulnerabilities, which remain most valuable to an attacker while undisclosed to vendors and the public.”
Is Full Disclosure Debate Dead?
While many security researchers contacted by eSecurity Planet applauded Google’s move, one expert took a different view on the new full disclosure policy.
Whitehat Security CTO and founder Jeremiah Grossman said that in his opinion, the “full disclosure” debate is dead.
“When is the right time to disclose what vulnerability information to whom is just as subjective as it is irrelevant,” he argued. “No one can really say with any certainty that six months, 60 days, or seven days is reasonable.”
According to Grossman, Google or any other entity that discloses a vulnerability is doing the vendor a service and also acting, at least in part, in its own personal interest.
“The question we really should be asking is how does Google benefit from shortening disclosure deadlines,” Grossman said.
When to Disclose: It Depends
While Google is moving to a seven-day policy for active exploit disclosure, it’s not a policy everyone else in the industry will follow.
Whitehat’s Grossman noted that for his company, the vulnerabilities that are found are typically one-off exploits in custom Web application software rather than traditional zero-day issues.
“When we do uncover a zero-day, which happens from time to time, we’re more in the non-disclosure camp,” Grossman said. “The vulnerabilities we find, including the zero-days, are the property of our customers. They can decide when or if to disclose them to the affected vendors.”
Tripwire’s Bailey also will not adjust his policy to match Google’s. “We will not disclose vulnerability info before a patch is available,” he said.
With Metasploit, the answer is a bit different. Rapid7’s Beardsley noted that Metasploit already takes a similar approach to rapid disclosure.
“For Metasploit, if we get ahold of exploit code in the wild, we make it a priority to get a tested, working, safe version of the exploit into the hands of exploit developers, researchers, customers and vendors as quickly as we can,” Beardsley said. “Once it’s known that the bad guys have an exploit, we want to enable people to test their defense in depth strategies.”
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.