The Project Zero security team has expanded disclosure for all bugs to a full 90 days after first being flagged, even if the bug has been fixed early, as part of a number of changes to its policies and objectives.
Previously, its security researchers would disclose a bug that’s been flagged after 90 days have elapsed, or when the bug was fixed, at their discretion.
The Google-run team, however, is trialling 90-day disclosure by default, whether or not the bug has been fixed, unless a mutual agreement is reached between Project Zero and any vendor in concern.
Project Zero’s policy goals have also evolved beyond just ‘faster patch deployment’, to also encompass ‘thorough patch development’ and, among customers, ‘improved patch adoption’.
Extending the disclosure window to 90 days for bugs that have been fixed, meanwhile, will lead to incomplete fixes reported back, and compiled into the original bug report, as opposed to being filed under a new vulnerability. This was also previously done at the discretion of any particular researcher.
“We're constantly considering whether our policies are in the interest of user security, and we believe this change is a further step in the right direction,” said Project Zero manager Tim Willis. “We also think it's simple, consistent and fair.
“We want to make attacks using zero-day exploits more costly. We do this through the lens of offensive vulnerability research and evidence of how real attackers behave.
“This involves discovering and reporting a large number of security vulnerabilities, and through our experience with this work, we realised that faster patch development and patch deployment were very important and areas for industry improvement.”
The team has been at the heart of a string of significant bug disclosures of varying severity over the last few years, including, for example, the disclosure in 2018 of a significant Edge browser bug that Microsoft didn't fix within the 90-day window.
Project Zero’s core principles also came under review, with the team prioritising simplicity, consistency and fairness to different vendors, where some don’t get preferential treatment over others.
Its two new core objectives, thorough patch deployment and improved adoption, meanwhile are being added in conjunction to the full extension of the 90-day window as there were concerns that some companies fixed bugs by simply “papering over the cracks”.
By extending the disclosure window to a full 90 days for all bugs, including fixed bugs, Project Zero is hoping that the aim of ‘faster patch deployment’ will no longer lead to compromise on quality if there’s no need to rush getting fixes out.
As a result of extending disclosure to 90 days, researchers are hoping to see more iterative and through patching practices from vendors, and also improve patch adoption since Project Zero is incentivising vendors to offer updates to a large population within 90 days.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
