Google’s Project Zero team has updated its vulnerability disclosure policies to introduce a 30-day cushion for businesses to apply patches to the flaws it discloses before revealing any precise exploit mechanisms.
Currently, the security research team adheres to a disclosure windows lasting 90 days, which lasts from the point a vulnerability is reported to a vendor to when they make it public, in order to give software vendors enough time to develop a patch behind the scenes.
Project Zero's new trial, however, will see the team tack on an additional 30 days to the original window before publishing any technical details, including details behind zero-day vulnerabilities. This will be cut to a period of seven days for bugs that hackers are actively exploiting.
Project Zero is making these changes to encourage faster patch development, to ensure that each fix is correct and comprehensive, and to shorten the time between a patch being released and users installing it.
The team also wants to reduce the risk of opportunistic attacks immediately after technical details are revealed. Flaws in F5 Networks' BIG-IP software suite serves as a recent example for this phenomenon, where hackers began scanning for vulnerability deployments shortly after technical details behind a handful of critically-rated flaws were published.
The trial is significant as many security research teams across the industry seek to mould their own disclosure policies around those adopted by Project Zero. The success of this trial, therefore, could pave the way for industry-wide changes.
For example, when Project Zero first introduced an automatic 90-day disclosure window in January 2020, a host of other teams shortly followed suit, including Facebook’s internal researchers in September that year.
“Much of the debate around vulnerability disclosure is caught up on the issue of whether rapidly releasing technical details benefits attackers or defenders more,” said Project Zero’s senior security engineering manager, Tim Willis.
“From our time in the defensive community, we've seen firsthand how the open and timely sharing of technical details helps protect users across the Internet. But we also have listened to the concerns from others around the much more visible "opportunistic" attacks that may come from quickly releasing technical details.”
RELATED RESOURCE
He added that despite continuing to believe that quick disclosure outweighs the risks, Project Zero was willing to incorporate feedback into its policies. “Heated discussions” about the risk and benefits of releasing technical details, or proof-of-concept exploits, have also been a significant roadblock to cooperation between researchers and vendors.
Project Zero will, in future, explore reducing the initial 90-day disclosure window in order to encourage vendors to develop patches far quicker than they currently do, with the aim of one day adopting something closer to a 60+30 policy. Based on its data, the team is likely to reduce the disclosure window in 2022 from 90+30 to 84+28.
Although vendors often do release patches in a timely manner, one of the biggest challenges in cyber security is encouraging customers to actually apply these updates to protect themselves against potential exploitation.
There are countless examples of patched vulnerabilities that are still being actively exploited because organisations have failed to apply the relevant updates.
The Cybersecurity and Infrastructure Security Agency (CISA), for instance, revealed in 2020 that many of the top-ten most commonly exploited flaws were those for which patches have existed for years. As of December 2019, hackers were even exploiting a vulnerability in Windows common controls that Microsoft fixed in April 2012.
As the trial unfolds in the coming months, Project Zero has encouraged businesses keen to understand more about the vulnerabilities being disclosed to approach their vendors or suppliers for technical details.
The team won’t reveal any proofs-of-concept or technical details prior to the 30-day window elapsing unless there’s a mutual agreement between Project Zero and the vendor.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
