Google’s Project Zero backs off a bit – will now give up to 14 days’ grace

Google’s been under the pump – a bit, anyway – over its Project Zero.

If you’ve missed the controversy, it goes something like this:

  1. Google’s bug-hunters find an exploitable vulnerability in your code.
  2. Google tells you about it.
  3. You get 90 days to make and ship a fix.
  4. If you fail to make it in time, for whatever reason, Google tells the world how to use the exploit.

If you're a critic, you'll consider this unfair.

Google is hanging a Damocletian zero-day over the heads of engineering departments, coders, QA teams, companies, shareholders.

No excuses, no extensions, not even a glimmer of human compassion: a computer does the countdown, and a computer presses the button that drops the 0-day.

If you're a proponent, you'll argue that Google is trying to squeeze us all, including itself, to get more real-worldly at fixing things.

Nothing like a bit of no-nonsense, non-negotiable pressure to focus your mind, and to weed out those companies that tend to sweep vulnerabilities under the carpet to avoid the effort of fixing them.

No excuses, no political favours, no inconsistent human judgment that cuts favours to some wheedling vendors yet drops the anvil on others: a computer does the countdown, and a computer presses the button that drops the 0-day.

What do we think?

Over the past month or so, Chester Wisniewski and I have discussed these issues from various angles in our weekly Sophos Security podcast, the Chet Chat.

Here’s what we said about Project Zero at the back end of January 2015, in Episode 182. [Relevant content runs from 6’29” – 8’00”]

(Audio player above not working? Download the MP3, or listen on Soundcloud.)

We concluded with these words:

PD. If the Motor Vehicle Licensing Authority can give me two weeks' grace when my licence disc expires, Google could have given Microsoft two days. Wouldn't you say?

CW. Seems like it.

Apparently, either great minds think alike, or Google’s Project Zero team not only listens to but also is influenced by, the Chet Chat!

In a recent posting on Google’s Online Security Blog, the company announced some changes:

  • Two weeks’ grace. If you have a patch coming out in a two-week window after the 90-day deadline, and you let Google know, they’ll give you an extension.
  • Weekend and holiday deferral. If the 90 days would expire on a weekend or a public holiday, you get until the next working day.

That’s only US weekends and public holidays, by the way.

So if you’re a company which operates out of another country – Ireland, say, or The Netherlands – and that’s where most of your coders, and your customers, are, bad luck: many of your public holidays aren’t going to line up.

And if you genuinely are working on a patch but are going to be 15 days late getting it out, you won’t get the two weeks’ grace in return for actually having made some progress.

Whither disclosure?

The strange thing in all of this, which I hadn’t realised until right now, is that Project Zero doesn’t entirely remove politics or inconsistency from the disclosure period, as some proponents have argued.

As Google reminds us:

We reserve the right to bring deadlines forwards or backwards based on extreme circumstances.

In short, Google is determined to keep dropping zero-days, including proofs-of-concept, in its own way, whether you’re ready or not, in the belief that this will ultimately benefit the good guys more than the crooks.

Maybe a bit of pressure is good for us all?

Of course, if it turns out that the X-day squeeze works well, by induction, perhaps an (X-1)-day squeeze ought to work even better?

Place your bets in the comments below.

How long until the accepted zero-day droppage period is down to 45 days? 14 days? 7 days?