In addition to a 90-day deadline, Google has given software developers an additional 14-day grace period to issue a patch before publicly disclosing a flaw.
In what appears to be a response to recent criticism, Google has added a 14-day grace period to its 90-day deadline for software vendors to patch security vulnerabilities reported to them under the search giant’s controversial Project Zero vulnerability research and disclosure program.
For disclosure deadlines that expire on a weekend or a holiday, Google will move the deadline to the next working day, members of the Project Zero team said in a blog post. Google has publicly disclosed software flaws when software vendors, including Microsoft, failed to patch flaws before the Project Zero deadline.
Google described the policy change as a response to feedback it has received from external sources on its Project Zero program. Several data points that the company has collected on the effort also support the increased flexibility, Google noted.
“We believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline,” the blog post noted.
Google launched Project Zero last July as a program designed to uncover security vulnerabilities in widely-used software products from any vendor. The company has committed to hiring the “best practically-minded security researchers” to pore through popular software products and identify vulnerabilities that put users of such software at risk. Google has cast Project Zero as an altruistic effort to improve Internet security on behalf of customers. All bugs discovered under the program are reported directly to the vendor and then later—after a fix is available—to an external database. The company maintains that it will never report bugs to third parties and has expressed its willingness to work with vendors on security patches.
Project Zero offers vendors up to 90 days to patch flaws that Google reports to them. After that, the company automatically discloses the vulnerability regardless of whether a patch is available or not.
But some security researchers and software vendors have criticized both the research and the disclosure policies. Microsoft for instance recently blasted Google after the latter disclosed details on a zero-day bug in a Microsoft product just two days before a fix was scheduled for release.
Microsoft claimed that it had notified Google about the fix and chided the company for not pushing back the disclosure despite receiving the heads-up.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha,” with customers the ones who may suffer as a result,” Chris Betz, Microsoft’s senior director of Trustworthy Computing said. “What’s right for Google is not always right for customers,” Betz noted in urging the company to respect a coordinated vulnerability disclosure process.
Security researchers too have criticized Google for setting a dangerous precedent and have said the company would be better served focusing the vulnerability research on its own products rather than those of others.
The recent policy update does not mention any of the criticisms, but instead seeks to once again reiterate Google’s position on the topic. Deadlines are necessary to get vendors to fix security issues in a reasonable time frame, the company said.
When Google finds a security vulnerability in a high-profile software product, there is a good chance that cyber adversaries know about it as well, the company said.
An analysis of Project Zero’s disclosures up to now shows that 90 days is a reasonable time for a vendor to fix a known security flaw, Google said. The Adobe Flash team for instance, fixed all 37 reported flaws reported to it within the 90-day period.
In fact, 85 percent of the 154 bugs uncovered by the Project Zero team since the effort was launched were fixed within 90 days. Since October 2014, 95 percent of all reported bugs have been patched within that deadline, the blog said.