Google relaxes disclosure policy following criticism

Posted by   Virus Bulletin on   Feb 16, 2015

Grace period added for vulnerabilities that are about to be patched.

Last year, Google announced a new disclosure policy, where details of a vulnerability discovered by the company's researchers would be published within 90 days of the affected vendor being notified, regardless of whether or not a patch had been released. If the vulnerability were to be actively exploited in the wild, details would even be disclosed within seven days.

This policy has been controversial to say the least, with many arguing that patching can be complicated, especially when a vulnerability is buried deep inside the code. When, last month, Google published details of a privilege escalation vulnerability in Windows 8.1 just days before Microsoft issued a patch, many saw it as irresponsible on Google's part.

I have mixed feelings about this issue. On the one hand, Google's policy adds clarity to the disclosure debate. Even when vulnerabilities are disclosed responsibly, it can take vendors a very long time to patch, leaving customers at risk and making researchers feel that they might as well sell their discoveries on underground markets.

On the other hand, I feel a bit uncomfortable about Google unilaterally deciding what's best for the Internet. And some recent cases do make one wonder whether it's really in everyone's interest that details of a vulnerability are disclosed a matter of days before a patch is released.

Thankfully, Google is not immune to criticism and has responded by relaxing its policy in two ways.

Firstly, disclosure will never take place during weekends or public holidays; in such cases the deadline will be moved to the next working day.

Secondly, a 14-day 'grace period' has been added for vulnerabilities that will be fixed within two weeks of the 90-day deadline. This should prevent cases like the one affecting Microsoft where the vendor has a patch ready, yet is running some QA-tests, or is waiting for its own patch cycle.

I think Google has made some very reasonable concessions here, without significantly compromising on the essential message of its program: patch quickly, or someone will exploit the vulnerability.

Posted on 16 February 2015 by Martijn Grooten



Latest posts:

Firefox 59 to make it a lot harder to use data URIs in phishing attacks

Firefox developer Mozilla has announced that, as of version 59 of the browser, many kinds of data URIs, which provide a way to create "domainless web content", will not be rendered in the browser, thus making this trick - used in various phishing…

Standalone product test: FireEye Endpoint

Virus Bulletin ran a standalone test on FireEye's Endpoint Security solution.

VB2017 video: Consequences of bad security in health care

Jelena Milosevic, a nurse with a passion for IT security, is uniquely placed to witness poor security practices in the health care sector, and to fully understand the consequences. Today, we publish the recording of a presentation given by Jelena at…

Vulnerabilities play only a tiny role in the security risks that come with mobile phones

Both bad news (all devices were pwnd) and good news (pwning is increasingly difficult) came from the most recent mobile Pwn2Own competition. But the practical security risks that come with using mobile phones have little to do with vulnerabilities.

VB2017 paper: The (testing) world turned upside down

At VB2017 in Madrid, industry veteran and ESET Senior Research Fellow David Harley presented a paper on the state of security software testing. Today we publish David's paper in both HTML and PDF format.