Google's vulnerability discovery team 'Project Zero' is bothering me with 'vulnerability report to vendor'

by Tim Gouw

A zero-day attack that puts an attack against the vulnerability until it is distributed since the discovery of vulnerability in software is extremely difficult to defend and it will cause enormous damage to businesses and individuals There is a possibility. Google has a security team " Project Zero " that specializes in researching such zero day attacks and takes measures. Project Zero, consisting of selected excellent hacker groups, reports to the vendor when it discovers software vulnerabilities, and a blog that explains "Problems when reporting vulnerabilities to vendors" has been released I will.

Project Zero: Adventures in vulnerability reporting
https://googleprojectzero.blogspot.com/2018/08/adventures-in-vulnerability-reporting.html

When Project Zero reports security vulnerabilities to vendors, it seems that reporting will be completed very easily in most cases, but there are cases in which reporting is extremely troublesome and complicated and more difficult than expected than expected Thing. In order to prevent zero-day attacks, it is important for developers to recognize vulnerabilities as soon as possible, and it is important to distribute patch patches, but there is no way to take measures if vulnerabilities can not be reported to venders.

From the point of view of the vulnerability reporter, it is extremely helpful to have a window for reporting vulnerabilities in a location that is easy to find. We do not state where vulnerabilities should be reported on the official website of vendor and software, or if information is too old to be used even if it is listed, vulnerability report will be delayed .

"When reporting vulnerabilities it is very much appreciated that the process is clearly documented and the process is short and simple," says the Project Zero team. Sometimes dozens of vulnerabilities are sometimes found in one software, so it's preferable that there are few clicks and fewer pages to load. If too much vulnerability reporting process is too long, it says that you may postpone reporting on the way or give up.

by bruce mars

The Project Zero team explains that notifying the reporter will also be notified when the vendor receives a report on the vulnerability. The vulnerability report may be lost in the middle due to a software problem or an artificial error, and in Project Zero, "I wonder if the vendor properly recognized the vulnerability report". Even if we can not respond quickly to vulnerabilities, Project Zero seems to be relieved if we receive a reply "I received a report on vulnerability" for the time being.

Also, Project Zero told vendors that the vulnerability reporting process has not been thoroughly checked. The team of Project Zero discovered a vulnerability related to Samsung 's software and cited the case when reporting the vulnerability and explained many problems related to the vulnerability reporting process.

Samsung's security page seems to have a button for vulnerability reporting. When the reporter clicked on the button, I was requested to sign in for the vulnerability reporting account, but the reporter did not have a Samsung account. When the reporter wants to create an account ......

I flew to the Korean page. At this point, reporters who do not understand in Korean will not know what to do.

The reporter somehow arrived at the English sign up page, but the next time he was asked to agree to several terms and sign a contract.

Although most of the clauses seemed to have no direct relationship with vulnerability reporting, the reporter inevitably agreed to various provisions to report the vulnerability. Among them, he said that he was allowed to enter his / her birthday or postcode, sometimes the text was still in Korean, the reporter says.

Ultimately, we were able to reach the vulnerability report page, but there is "I have to get Samsung's consent before publishing the vulnerability you found" "Samsung is vulnerable There is a case that we may not allow permission to publish ", he said. "The vulnerability reporting process we did at this time was not comfortable," the Project Zero team recalled.

About Samsung's vulnerability reporting process, Project Zero says, "The vendor's process checks are not being made," he says. A situation such as suddenly jumping to the Korean page from the English page means that the English version of the vulnerability reporting process is not checked and it is unkind to the user that the workflow is unnecessarily too long . Although Samsung's vulnerability reporting process has been improved, it is said that these problems are occurring in other vendors.

In addition, Project Zero gives 90 days of fixed patch distribution after reporting the vulnerability to the vendor, but after 90 days from the report, it will disclose the vulnerability as "Can not put the user at risk any more" I will make it. Meanwhile, the vulnerability report form said that it would be in trouble if the vulnerability included clauses such as "to release the vulnerability after 180 days" and "prohibit publishing the vulnerability without agreement" .

by freestocks.org

Project Zero confirms that software vendors have no problem with their vulnerability reporting process, saying "Vulnerability reporting delayed by vendor vulnerability reporting process issues will have a negative impact on security" He said he should.