Security

Google cuts Microsoft and pals some slack in zero-day vuln crusade – an extra 14 days tops

LOL u mad, Redmond? 'Yes, we mad'

Google has adjusted the terms of its controversial Project Zero vulnerability scouting effort, loosening its 90-day disclosure policy somewhat to give companies a better chance of fixing their security bugs before they become public knowledge.

Among the changes, Google says it will no longer disclose bugs on weekends and public holidays, and it will even offer software vendors a brief grace period to finish their patches, if they request one.

Project Zero has drawn fire from software companies – most notably Microsoft – for disclosing critical vulnerabilities to the public exactly 90 days after it reports them to vendors, a policy that top Redmond security bod Chris Betz said "feels less like principles and more like a 'gotcha'."

"What's right for Google is not always right for customers," Betz wrote in a blog post in January. "We urge Google to make protection of customers our collective primary goal."

Mind you, it's only natural that Microsoft would be miffed. Among the bugs revealed by Project Zero so far are critical zero-day flaws in Windows that can potentially allow an attacker to gain full control of affected systems.

Google's vulnerability disclosures often include proof-of-concept exploit code, meaning cyber-crooks have access to working exploits the minute Google's disclosure goes live.

Still, Google seems to have heard Redmond's complaints. On Friday, the online ad-slinger said it would make changes to how Project Zero discloses flaws, but it stopped short of saying it would lengthen the 90-day deadline, noting that CERT's own deadline is even shorter.

"We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix," Google's security team wrote in a blog post. "We've chosen a middle-of-the-road deadline timeline and feel it's reasonably calibrated for the current state of the industry."

Going forward, however, 90 days won't necessarily mean 90 days. For one thing, if the date of a patch disclosure deadline falls on a weekend or a public holiday, Google now says it will hold off on its disclosure until the next working day.

What's more, the Chocolate Factory says it will extend the disclosure deadline by a grace period of up to 14 days, provided a vendor lets it know that a patch will be released on a specific date within the 14 days.

"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed," Google's post states.

Google says it will also be sure to pre-assign CVE (Common Vulnerabilities and Exposure) numbers to bugs that go past their deadlines before it discloses them, to avoid confusion and help the public understand specific threats.

But Redmond wasn't entirely satisfied with the changes, saying it would much rather see Google work more interactively with software vendors to apply patches.

"When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up," Microsoft's Betz told The Register in an emailed statement. "While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies."

Google, meanwhile, said that an arbitrary deadline, albeit a nondiscriminatory one, is the best vendors can hope for.

"As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances," Google's security team said. "We remain committed to treating all vendors strictly equally." ®

Sponsored: Navigating the threat landscape