Google Relaxes Project Zero Bug Disclosure Policy

[AllieNeko]

I think it's a step in the right direction, but it suffers from the same sort of arbitrariness as their previous policy.

So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"

I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.

Because, at that point they've had three and a half months, not three weeks. If you can't fix in three and a half months, get out of this business.

Are Google's motivations on this all good? I actually think they are - or at least benevolent self-interest. Google uses a TON of stuff from Apple and MS and is a high-profile target themselves. They want it as secure as any major corporation does.

 

[subsonix]

And when companies wouldn't make that additional 14 day window, which isn't an automatic window but one that would require companies actually have some fairly good reasoning behind it, people would have still had the same comments about having more time and making more exceptions, etc., etc., etc.

Yeah, it isn't automatic, that would make it a hard 104 day deadline.

This is just a small adjustment that doesn't change the vast majority of what's behind it all and what was already part of the project and what Google has already been doing.

It's an adjustment in relation to their disclosure process, which is what some criticized back then. In the end, having un-patched bugs with security implications published affects users.

The issues they find are still the important things and at the center of it all (whether they are small or not or if people care about them or not). That still hasn't changed either.

Yeah, they haven't ended project zero, and no one has claimed that, and it's not what we are discussing.

 

[Michael Goff]

The schedule? Sure, but there are many convenient things everywhere, but that doesn't mean things continue as normal because of convenience when something arises.

It's convenient to change car's oil at specific intervals and often get various other things checked out and maintained at the same time, but if you just got that done a week ago and now an issue with breaks comes up out of nowhere, while it would be convenient to wait until the next oil change to get it taken care of, does that really make sense though just because of convenience?

There's certainly the convenience factor, but there are many other more important factors that can come into play in various scenarios.

And the two issues are completely unrelated. Releasing vulnerabilities even though you know they're going to be patched in two days is something that leads to more problems, not less.

 

[C DM]

And the two issues are completely unrelated. Releasing vulnerabilities even though you know they're going to be patched in two days is something that leads to more problems, not less.

Probably because patches of certain types shouldn't be scheduled mostly by convenience.

In any case, now there's a process to deal with that kind of thing if truly necessary, so that seems to have been taken care of (maybe not in the best/better way, but in a way nonetheless).

 

[Keirasplace]

Because, at that point they've had three and a half months, not three weeks. If you can't fix in three and a half months, get out of this business.

Are Google's motivations on this all good? I actually think they are - or at least benevolent self-interest. Google uses a TON of stuff from Apple and MS and is a high-profile target themselves. They want it as secure as any major corporation does.

If your a software engineer I think should retire for saying such idiotic things.

Google created the biggest botnet on the face of the world and its growing every single second. Every single piece of crap they say on security is a joke. IF they cared about security they'd pay the OEM's money to update the phones they abandoned willfully because their extremely lame OS update framework. Considering they'Re the only making money from those phones, not the OEM or the Telecom, I think its only fair...

People keep saying CERT has a 45 day release, when in fact it is highly dependent on circumstances and how the vendor reacts. If the client can't fix it, or even mitigate it if the vulnerability is released until the vendor has a fix, they sit on it a while.

Their policies on the site says a different thing than their FAQ BTW, for people who want to read. From my experience, the FAQ is closer to how they actually work.

 

[C DM]

If your a software engineer I think should retire for saying such idiotic things.

Google created the biggest botnet on the face of the world and its growing every single second. Every single piece of crap they say on security is a joke. IF they cared about security they'd pay the OEM money to update the phones they abandoned willfully because their extremely lame OS update framework.

People keep saying CERT has a 45 day release, when in fact it is highly dependent on circumstances and how the vendor reacts. If the client can't fix it, or even mitigate it if the vulnerability is released until the vendor has a fix, they sit on it a long time.

Perhaps it would be a good idea for things to change and companies to start putting consumers a bit further ahead of various other interests they might have when something important like security warrants it. Instead of spending more time following flawed processes, dealing with flawed systems, and just playing some sort of blame game and pointing fingers.

 

[Keirasplace]

This is standard and accepted practice in computer security, public disclosure is a necessary practice to promote security by keeping public pressure on companies to patch quickly. 90 days is a very reasonable disclosure timeline.

It's those who disclose on day 0 that are are working against your best interests.

No, it is NOT reasonable if the harm is bigger. That's the whole point. Google had a fixed date that totally disregarded actual harm. CERT will release in 45 days, or sit on it a while, depends on the nature of issue and the vendor response.

If you have some bug that is very widespread and very hard to mitigate, and take a massive effort to fix from the vendor (and issuing a bad fix could possibly completely wipe out the end user), releasing the vulnerability (and how to exploit it) right away could have bad consequences. While it is possible that this exploit has been found out; it is also very possible that security researchers are the only ones that actually found it. That doesn't mean someone should let the vendor slack off for a year, but it means that CERT or the like should work together with them to get the fix in as soon as possible.

If the potential effect is bad, but it is possible for the user to quickly mitigate it (and vendor patch it); the vulnerability will be announced quickly.

The issue also is that often big breaches come from chained vulnerabilities. As vulnerabilities that are well known increase (say because they've been announced), the chance of such chains happening increases. A minor issue can become a major hole. In this case, releasing them quickly is probably not a good idea if a patch is coming soon. That was the case for Microsoft and Apple bugs that started the whole discussion.

 

[Karma*Police]

The normal Google haters in here ignoring that them doing this is a good thing for everyone...

It's controversial precisely because it's not good for everyone. You expect multi-billion dollar companies to drop everything and/or change their development priorities every time a security bug is found? And if the company doesn't patch the bug within the arbitrary timeline that Google has set, all the hackers have access to the exploit. Google's products have plenty of bugs. They should focus on fixing their own stuff instead of throwing stones from their glass house.

 

[Alenore]

That's a damn laugh, they don't even fix code 18 month old that affect 60% of their users. Google is big joke. They hide behind OEM's supposedly being responsible when its their broken down implementation that's to blame. They are a joke.

Last time I checked, Lollipop was already released and yet OEMs didn't provide the update. When Google release updates and Samsung, Sony, HTC or LG don't go through the hassle of updating them for their own software/hardware, you can't really blame Google.
Imagine Rovio decides not to support iOS9 because they have some (or even a lot of) code modification to do, you can't say Apple is responsible.

You don't see this problem on iOS or Nexus (yes, Google, the Nexus 4 was updated) because both the hardware and software comes from the same company.

Now it's not to say Lollipop doesn't have ugly bugs, like wifi, battery performance, apps crashing, ...
Interestingly enough, this list also applies to iOS.

I know, I know, you probably don't have any problem with iOS8 and your iPhone 6, but millions of people don't have problems on their android either.


Maybe next time, you may expose facts instead of the biased "Google is Evil and does nothing right because they suck", because this song is getting old.

It's controversial precisely because it's not good for everyone. You expect multi-billion dollar companies to drop everything and/or change their development priorities every time a security bug is found? And if the company doesn't patch the bug within the arbitrary timeline that Google has set, all the hackers have access to the exploit. Google's products have plenty of bugs. They should focus on fixing their own stuff instead of throwing stones from their glass house.

Again, this is not just "bugs". They are security issues. Wouldn't you drop what you're currently doing if you realized you left your door wide open ? But then maybe you don't care if someone access your datas online, get personnal informations and releases them in internet.
I'm pretty sure Jennifer Lawrence wouldn't agree with you, though.

You all act like it's the first time people are doing that. Companies hire security firms to test and audit their code, and some guys also do that for a living.

 

[sdf]

Problem is at that point they are 3 months in from being notified.

Depends how good that report is on the first day, and how busy the company is. Otherwise, the policy is saying that Google-discovered security issues must be patched before other security issues, no matter how ****** the reporting is.

 

[C DM]

It's controversial precisely because it's not good for everyone. You expect multi-billion dollar companies to drop everything and/or change their development priorities every time a security bug is found? And if the company doesn't patch the bug within the arbitrary timeline that Google has set, all the hackers have access to the exploit. Google's products have plenty of bugs. They should focus on fixing their own stuff instead of throwing stones from their glass house.

If a company, let alone a multi-billion one, doesn't have a process to deal with security or other important/urgent fixes, then there's a bigger issue in play here that truly needs to be addressed as soon as possible.

As far as accusing Google of having their own bugs, that's not really relevant nor is it some sort of an excuse for other systems having issues and not addressing them as soon as possible.

Depends how good that report is on the first day, and how busy the company is. Otherwise, the policy is saying that Google-discovered security issues must be patched before other security issues, no matter how ****** the reporting is.

All security issues should be addressed as soon as they can be.

 

[Keirasplace]

Last time I checked, Lollipop was already released and yet OEMs didn't provide the update. When Google release updates and Samsung, Sony, HTC or LG don't go through the hassle of updating them for their own software/hardware, you can't really blame Google.
Imagine Rovio decides not to support iOS9 because they have some (or even a lot of) code modification to do, you can't say Apple is responsible.

You don't see this problem on iOS or Nexus (yes, Google, the Nexus 4 was updated) because both the hardware and software comes from the same company.

Now it's not to say Lollipop doesn't have ugly bugs, like wifi, battery performance, apps crashing, ...
Interestingly enough, this list also applies to iOS.

I know, I know, you probably don't have any problem with iOS8 and your iPhone 6, but millions of people don't have problems on their android either.


Maybe next time, you may expose facts instead of the biased "Google is Evil and does nothing right because they suck", because this song is getting old.

You think I've just dropped off from space or what and don't know what's what? Reality is biased in when some system's security is abysmal; it is abysmal. No sugar coating it. We are talking about security here aren't we?

Beating up on Lollipop is like kicking a small toy robot; not much fun. That's why I keep out of Android forums, unlike many Android fans that camp here.

BTW, there are probably more than 1B Android systems that have gaping security holes it them because Google messed up when they created Android. Those are the facts about security. And that's just security bugs in the OS itself.

The whole of Android's security model is broken as designed outside any bug. From sideloading, to Malware from the play store that quasi brick millions of phones, to the non granularity of the permission system. Android security is as real as an unicorn.

Google whining about OEM doesn't absolve them from security issues, no more than it would absolve Apple if they didn't patch a security bug for 18 months, because well people should just buy another phone if they want to be safe... That's seemingly Google's implicit policy.

Even with Lollipop, they can't update all security without the OEM's implication. They voluntarily created a hacker's paradise.

That's obvious because Chromebooks seems to be an attempt to repudiate what they did before with Android; have they reformed? Maybe, but the mess they created is still there.

PS: You do realize that Nexus is only a few % of sales? That Google used to subsidize them, and now they do not. Sales of Nexus devices thus have cratered.

 

[bpcookson]

I couldn't give less than a rat's ass for whatever reasons Google digs out security issues with their competitor's products. Someone does it. Security issues get fixed (or not). That's all that counts.

If Google doesn't reveal those issues, chances are that they go unnoticed by the good guys - but the bad guys are already exploiting them, so making security issues public after a grace period makes the world a better place.

It's that simple.

No, not really. Haven't you ever heard the saying? "Locks just keep the honest people honest."

Don't get me wrong, I think it's great for competitors to go bug hunting on each other; it's hard to catch the sneaky bugs in your own code. I don't even blame them for wanting public credit when finding them; that's good PR and it's fair. But announcing the bug such that anyone with requisite skill can exploit it? That's nothing short of irresponsible; they're practically ASKING people to exploit their competitors' software, thereby unnecessarily jeopardizing the security of everyone using that platform.

Google is not law enforcement. What they're doing should be illegal, and there ought to be an appropriate government official who can receive Google's findings instead of honest people who don't need the temptation.

 

[C DM]

No, not really. Haven't you ever heard the saying? "Locks just keep the honest people honest."

Don't get me wrong, I think it's great for competitors to go bug hunting on each other; it's hard to catch the sneaky bugs in your own code. I don't even blame them for wanting public credit when finding them; that's good PR and it's fair. But announcing the bug such that anyone with requisite skill can exploit it? That's nothing short of irresponsible; they're practically ASKING people to exploit their competitors' software, thereby unnecessarily jeopardizing the security of everyone using that platform.

Google is not law enforcement. What they're doing should be illegal, and there ought to be an appropriate government official who can receive Google's findings instead of honest people who don't need the temptation.

That's why those responsible for the affected software/systems are notified with information about the issue first an given time to deal with it.

 

[solamar]

How many Android phones are out there with vulnerabilities unpatched? Google is doing this to sabotage their competitors. I don't believe their humanitarian story one bit.

None.. They've not listed a single Android phone, ever, or address any of there flaws.. even though a mass majority of their phones are not even on KitKat..

It's a joke, a targeted smear campain. A Google showing how it is truly a hypocrite.

 

[InuNacho]

They should focus on fixing their own stuff instead of throwing stones from their glass house.

Thats the point, they know they have more security holes than anybody in the biz. What better way to hide your own mistakes by exposing everybody else's?

 

[C DM]

None.. They've not listed a single Android phone, ever, or address any of there flaws.. even though a mass majority of their phones are not even on KitKat..

It's a joke, a targeted smear campain. A Google showing how it is truly a hypocrite.

Thats the point, they know they have more security holes than anybody in the biz. What better way to hide your own mistakes by exposing everybody else's?

Other companies can do the same and look for security issues in Google's products. One thing isn't related to another. To try to someone link the two is to make irrelevant inconsequential connections that aren't even really there.

 

[Tech198]

ah well.. that's nice of Google...

excluding public holidays

How much extra days would that be.....

It should really be the job of Google to "police" other companies, just because they can't manage it themselves, but then again, users also deserve to know.

Hands are tied.

Its nice to know Google also has their stake in other companies and not just zeroing in on Apple either ....

On the back-burner, don't we all actually do the same ? If we haven't found anything we don't say anything ?

 

[thefourthpope]

It's now a 104-day deadline.

 

[a0me]

How many Android phones are out there with vulnerabilities unpatched? Google is doing this to sabotage their competitors. I don't believe their humanitarian story one bit.

Google has left vulnerable roughly 1 billion active Android devices by not providing a fix to a security vulnerability that affects all devices running Jelly Bean and prior.

https://community.rapid7.com/commun...ides-patches-for-webview-jelly-bean-and-prior
https://plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF

 

[kdarling]

But it's VERY costly to find ALL bugs and fix them. It's not like I can look through software code and go 'Gee - there's a bug - I'll fix it'. It's highly complicated and takes a lot of brain power to figure out.

These are not just bugs, of course. They're security holes.

As for being difficult to figure out, the hardest part of any debugging is finding a way to duplicate the problem.

In these cases, the Project Zero team has already done that. Fixing should then be relatively easy and quick.

(I have over forty years' debugging experience, having taken my first formal programming course in 1971.)

Nobody was complaining about 90 days to fix. That's way more than enough time. The complaint was that management had a 90 day release cycle, and sometimes the Project Zero deadline came just days before that.

 

[bpcookson]

That's why those responsible for the affected software/systems are notified with information about the issue first an given time to deal with it.

You've entirely missed my point.

Who is Google to say how much time their competitor has to resolve security issues? And don't say 90 days is plenty; you're not managing operations of a billion dollar behemoth and simply aren't qualified to say so.

Google is assuming a position of authority amongst peers with no basis for it and they are actively endangering the livelihood of millions of people with the way in which they are enforcing it. The bottom line is this:

Google should find a way to do this without introducing new or additional harm to the innocent, unwitting public.

 

[ny3ranger]

Egos aside, this is actually a very good thing for consumers as a whole.

Provided that employees arent biased to non Google products. If they find a critical flaw in Microsoft/Apple vs Google. I am not sure they reporting is going to exactly be fair in the public disclosure.

A group tasked to police itself isnt really the policing itself. Sorry dont buy it.

 

[C DM]

You've entirely missed my point.

Who is Google to say how much time their competitor has to resolve security issues? And don't say 90 days is plenty; you're not managing operations of a billion dollar behemoth and simply aren't qualified to say so.

Google is assuming a position of authority amongst peers with no basis for it and they are actively endangering the livelihood of millions of people with the way in which they are enforcing it. The bottom line is this:

Google should find a way to do this without introducing new or additional harm to the innocent, unwitting public.

Yup, 90 days is plenty. As a consumer I don't even want it to take 90 days. And if a company, let alone a billion dollar behemoth can't do it in that time, then there are problems with the system they designed and/or the processes they have in place, and those should be fixed as soon as possible.

Why should we as consumers have sympathy about a company that we paid money to for not addressing security issues as soon as possible? How does any consumer think that which is against their own interests?

----------

Provided that employees arent biased to non Google products. If they find a critical flaw in Microsoft/Apple vs Google. I am not sure they reporting is going to exactly be fair in the public disclosure.

A group tasked to police itself isnt really the policing itself. Sorry dont buy it.

They found an issue and it should be fixed. Why do people care why they found it or anytbing like that? The only thing that really matters to a consumer is that the issue was found and should be fixed as soon as possible.

 

[ThunderSkunk]

Ahh google. Doing gods work.