Google's Project Zero trials 120 day disclosure window for new software flaws

The policy change aims to encourage businesses to apply patches while reducing the risk of opportunistic attacks

Google’s Project Zero team has updated its vulnerability disclosure policies to introduce a 30-day cushion for businesses to apply patches to the flaws it discloses before revealing any precise exploit mechanisms.

Currently, the security research team adheres to a disclosure windows lasting 90 days, which lasts from the point a vulnerability is reported to a vendor to when they make it public, in order to give software vendors enough time to develop a patch behind the scenes.

Project Zero's new trial, however, will see the team tack on an additional 30 days to the original window before publishing any technical details, including details behind zero-day vulnerabilities. This will be cut to a period of seven days for bugs that hackers are actively exploiting.

Project Zero is making these changes to encourage faster patch development, to ensure that each fix is correct and comprehensive, and to shorten the time between a patch being released and users installing it.

The team also wants to reduce the risk of opportunistic attacks immediately after technical details are revealed. Flaws in F5 Networks' BIG-IP software suite serves as a recent example for this phenomenon, where hackers began scanning for vulnerability deployments shortly after technical details behind a handful of critically-rated flaws were published.

The trial is significant as many security research teams across the industry seek to mould their own disclosure policies around those adopted by Project Zero. The success of this trial, therefore, could pave the way for industry-wide changes.

For example, when Project Zero first introduced an automatic 90-day disclosure window in January 2020, a host of other teams shortly followed suit, including Facebook’s internal researchers in September that year.

“Much of the debate around vulnerability disclosure is caught up on the issue of whether rapidly releasing technical details benefits attackers or defenders more,” said Project Zero’s senior security engineering manager, Tim Willis.

“From our time in the defensive community, we've seen firsthand how the open and timely sharing of technical details helps protect users across the Internet. But we also have listened to the concerns from others around the much more visible "opportunistic" attacks that may come from quickly releasing technical details.”

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

He added that despite continuing to believe that quick disclosure outweighs the risks, Project Zero was willing to incorporate feedback into its policies. “Heated discussions” about the risk and benefits of releasing technical details, or proof-of-concept exploits, have also been a significant roadblock to cooperation between researchers and vendors.

Project Zero will, in future, explore reducing the initial 90-day disclosure window in order to encourage vendors to develop patches far quicker than they currently do, with the aim of one day adopting something closer to a 60+30 policy. Based on its data, the team is likely to reduce the disclosure window in 2022 from 90+30 to 84+28.

Although vendors often do release patches in a timely manner, one of the biggest challenges in cyber security is encouraging customers to actually apply these updates to protect themselves against potential exploitation.

There are countless examples of patched vulnerabilities that are still being actively exploited because organisations have failed to apply the relevant updates.

The Cybersecurity and Infrastructure Security Agency (CISA), for instance, revealed in 2020 that many of the top-ten most commonly exploited flaws were those for which patches have existed for years. As of December 2019, hackers were even exploiting a vulnerability in Windows common controls that Microsoft fixed in April 2012.

As the trial unfolds in the coming months, Project Zero has encouraged businesses keen to understand more about the vulnerabilities being disclosed to approach their vendors or suppliers for technical details.

The team won’t reveal any proofs-of-concept or technical details prior to the 30-day window elapsing unless there’s a mutual agreement between Project Zero and the vendor.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021