Google Relaxes Project Zero Bug Disclosure Policy

[MacRumors]

Google's security team Project Zero recently announced some changes to its bug disclosure policy after controversially exposing Apple and Microsoft security flaws when the companies failed to meet the 90-day deadline. The new disclosure deadline has a 14-day grace period and excludes weekends and public holidays, providing tech companies with more time to properly address security vulnerabilities in their software.

"We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch."

Project Zero is a security team consisting of experienced programmers that look through the code of Google and several of its competitors to discover security flaws, like those uncovered in OS X Yosemite back in January. The team immediately discloses any vulnerabilities found to vendors, providing them with a 90-day deadline to release a software patch before sharing the vulnerabilities with the public.

The role of Google playing security watchdog for other companies has been the subject of much debate, with some believing that the company has a disingenuous agenda and others claiming that it is taking appropriate action. Google claims that it holds itself to the same 90-day policy it enforces on other tech companies, with bugs in the pipeline for Chrome and Android that are subject to the same deadline policy.

Article Link: Google Relaxes Project Zero Bug Disclosure Policy

 

[BittenApple]

Don't be evil.

Google under Eric E. Schmidt is not good.

 

[viorelgn]

How many Android phones are out there with vulnerabilities unpatched? Google is doing this to sabotage their competitors. I don't believe their humanitarian story one bit.

 

[Jakewilk]

So why not just call it a 104 day deadline?

 

[winston1236]

Egos aside, this is actually a very good thing for consumers as a whole.

 

[sualpine]

Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?

 

[ArtOfWarfare]

So why not just call it a 104 day deadline?

You have 90 days to say that it'll be patched within 14 days - if you don't say anything by day 90, they'll reveal it. So it's a 90 day deadline. If you say something, they'll give you an extra 14 days.

Sounds like a good policy to me. I'm surprised it wasn't their policy before.

----------

Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?

If you watch Google's presentations, you'll notice they tend to present on Macs and PCs, not Chromebooks. They've got more to lose from other companies vulnerabilities than their own.

 

[Musocat]

What a bunch of assbags.

 

[Robert.Walter]

What a bunch of boneheads running Google.

Can't decide if they want to be secret spies,
or public gossips.

----------

...snip...

If you watch Google's presentations, you'll notice they tend to present on Macs and PCs, not Chromebooks. They've got more to lose from other companies vulnerabilities than their own.

Wonder what that means for the rest of those using Google's products and devices when Google doesn't eat its own dog food.

 

[JoeG4]

https://m.youtube.com/watch?v=zkzWyOaS8kU

Kinda reminds me of this lol. I thunk they should have a wall of shame with how long it took to respond to these things.

 

[marzer]

I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.

 

[mbh]

You have 90 days to say that it'll be patched within 14 days - if you don't say anything by day 90, they'll reveal it. So it's a 90 day deadline. If you say something, they'll give you an extra 14 days.

And if it isn't fixed within that extra 14 days, they'll release it anyway. So, it's a 104 day absolute deadline.

 

[bhayes444]

At least there is some company out there that is searching into these vulnerabilities instead of just letting them go unchecked and hoping that they are never maliciously abused. Granted, if there isn't a fix for them then exposing them is much worse than if they had never found them. Google isn't blameless from a vulnerability fixing perspective. Take the recent WebView vulnerability that they won't patch on Android 4.3 and below; the only way is to upgrade to 4.4 and up. At least there is a division of a company (Google or not) pointing out these bugs.

 

[kuwxman]

The normal Google haters in here ignoring that them doing this is a good thing for everyone...

 

[Col4bin]

So in other words, Google is defecting attention away from their own system woes. It's like my mother used to say, "people who live in glass houses shouldn't throw stones."

I think Google better take a good hard look in the mirror and fix there own security vulnerabilities—especially when it comes to Android!

 

[kwizatz]

I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.

I think it's a step in the right direction, but it suffers from the same sort of arbitrariness as their previous policy.

So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"

I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.

 

[bandalay]

Google dedicates…

…a few dozen Googlers to look for bugs in competitors codebase.

Then dictates the terms of their humiliation.

The leash is now in place - will the dog jump through the hoops?

 

[TimelessOne]

I think it's a step in the right direction, but it suffers from the same sort of arbitrariness as their previous policy.

So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"

I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.

Problem is at that point they are 3 months in from being notified.

It means you have 3 months to get a patch together and 2 weeks to release it. AKA you had 3 months to fix it. So really you have 104 days max from being notified to released a fix max. Your fix must be completed by day 90.

 

[WestonHarvey1]

And if it isn't fixed within that extra 14 days, they'll release it anyway. So, it's a 104 day absolute deadline.

Which is all Microsoft asked for - their ordinary release schedule requires 92 days.

 

[bbeagle]

So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"

I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.

Exactly.

Not every bug can be fixed in an arbitrary amount of time. 90 days is arbitrary and so is 14 days. We have had some bugs in our company's software that have gone unfixed for YEARS, despite dozens of people trying to fix them. Trying to find out 'why' or 'where' the bug occurs sometimes takes most of the time, fixing it sometimes just takes minutes after that.

However, on the flip side, if there are no 'deadlines' then there is no 'incentive' to get the bug fixed.

 

[apolloa]

Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?

Except the blindingly obvious is, why the hell SHOULD Google be doing this? Why can't Apple and Microsoft fix their OWN flaws BEFORE releasing software..

Face it, if it wasn't for Apple and Microsofts obsession to hit deadlines and to add features and consciously ignoring security flaws in their software, then this special Google team wouldn't exist.

I say good on Google, they should reduce the time, not extend it. Google lets it's browser get hacked every year in that competition to find flaws in security.

 

[Yuck9]

Memory problems=Security ?

Memory leaks are not a security problem. If that were the case, OSX 10.10X would win.

Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?

 

[Glideslope]

Don't be evil.

Google under Eric E. Schmidt is not good.

God All Mighty !!!!!!! Another Eric the Ass**** hater.

You made my day. SJ say's Thanks.

 

[C DM]

The normal Google haters in here ignoring that them doing this is a good thing for everyone...

I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.

It's more important to blindly hate than to spend even just a split second on rational thought.

 

[bbeagle]

Except the blindingly obvious is, why the hell SHOULD Google be doing this? Why can't Apple and Microsoft fix their OWN flaws BEFORE releasing software..

It sounds like you don't understand software. Fundamentally, software ALWAYS has bugs. Just like everything else in the world. It's high profit / low risk to find software bugs and exploit them.

I can enter your house just by using a rock I find in your garden right outside your door. But using the rock to smash your window, enter, and rob your stuff is low profit / high risk. It happens, but not as often as it could.

But it's VERY costly to find ALL bugs and fix them. It's not like I can look through software code and go 'Gee - there's a bug - I'll fix it'. It's highly complicated and takes a lot of brain power to figure out.