Google’s Project Zero bug-hunting team has tweaked its 90-day responsible disclosure policy to help improve the quality and adoption of vendor patches.
Project Zero is a group of researchers that looks for zero-day vulnerabilities in technology products and services. When it finds a bug, the team informs the vendor responsible for the product and opens an internal bug report known as a tracker, shielded from public view.
The vendor then has 90 days to fix the bug before Project Zero lifts the veil. This policy, known as responsible disclosure, sits at the midpoint compared to other organizations. US CERT, for example, goes public 45 days after discovering a bug, while the Zero Day Initiative waits 120 days.
Google says that 97.7% of the bugs it reports are fixed within deadline, up from the 95.5% that it reported in the period between February 2015 and July 2019. So now, it’s expanding its focus from faster bug fixes to better ones. With that in mind, the Project Zero team has outlined some changes to its disclosure policy that it hopes will tighten up its handling of security bugs.
The most significant sees it switch to a standard policy of disclosing a vulnerability after 90 days. In the past, it has used that cutoff as the latest possible disclosure time, but has revealed a bug as soon as a vendor announced a fix. Now, in an effort to ensure that vendors thoroughly test their patches rather than rushing them out the door, it will wait for the full 90-day period before disclosing a flaw, even if the vendor has fixed it weeks beforehand.
Holding off on public bug reports should also make it easier to get patches out to users. Google explained:
…some vendors hold the view that our disclosures prior to significant patch adoption are harmful. Though we disagree (since this information is already public and being used by attackers per our FAQ here), under this new policy, we expect that vendors with this view will be incentivised to patch faster, as faster patches will allow them “additional time” for patch adoption.
Project Zero is also taking a harder line with vendors who release poor patches. In the past, it has sometimes filed an incomplete fix as a separate vulnerability rather than adding it to the existing bug report, effectively resetting the clock for a vendor to get it right a second time.
It did this with Microsoft back in 2017, for example. In the future, vendors with dodgy patches won’t get a second chance. Project Zero will add incomplete fixes to the existing bug report, even if it has been made public. If the report has not yet been released, Project Zero will not extend the vendor’s deadline. It said:
We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to their exploits and revive their zero-day exploits.
The Project Zero team is also providing more clarity on how it handles the grace period. Announced in 2015, this is a 14-day window following the official 90 day window during which Google researchers would avoid going public with the bug as long as the vendor promised to deliver a fix.
In the past, Project Zero would go public with the bug “sometime after” a vendor shipped a patch during the grace period. In future, it will open its tracker report immediately after the release of a patch. The seven-day deadline that it imposes for zero-days being exploited in the wild is unchanged.
One comment on “Google’s Project Zero highlights patch quality with policy tweak”
That’s so cute, goog telling others to be secure all while serving the most malware of any source on the net in their playstore. (yes I keep beating this dead horse) Without ever notifying users when they remove a malicious app – even though you have to use a valid email to get the files. Goog, it’s nice you want the rest of the world to serve good software, but you really should work on your own mess while your at it.