Google's vulnerability discovery team 'Project Zero' changes disclosure policy, giving time to patch application



Google's security team,

Project Zero, which specializes in zero-day attacks that are difficult to deal with among cyber attacks, has changed its disclosure policy regarding the technical details of the vulnerabilities it has discovered. This policy change is expected to give users more time to apply patches after vendors have developed patches to fix the vulnerabilities.

Project Zero: Policy and Disclosure: 2021 Edition
https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html



Google's Project Zero updates vulnerability disclosure rules to add patch cushion | The Record by Recorded Future
https://therecord.media/googles-project-zero-updates-vulnerability-disclosure-rules-to-add-patch-cushion/

Project Zero allowing for more time to roll out patches in 2021 --9to5Google
https://9to5google.com/2021/04/15/google-project-zero-2021/

In a blog post on April 15, 2021, Project Zero team leader Tim Willis commented that the Project Zero team is coordinating policies and practices to achieve their mission. He said that he evaluated the policy based on feedback from vendors developing fix patches for vulnerabilities and created a new approach for 2021.

The policy up to 2020 was to disclose technical details 90 days after the Project Zero team pointed out the zero-day vulnerability, even if no patch was developed. So if you said, 'I can't release a patch within 90 days, but I can release it within 104 days,' the vendor could request a grace period of 90 days plus 14 days. In addition, it is said that the vulnerability that has already been confirmed to damage users was disclosed 7 days after it was pointed out.

On the other hand, the new policy of 2021 will disclose the technical details 90 days after the release of the patch for the vulnerability, but if the patch is released, the technical details will be disclosed 30 days after the release. Is disclosed. This means that if the vendor releases the patch 85 days after the Project Zero issue, the technical details will be disclosed 115 days after the issue.

In addition, the grace period that the vendor can request is 14 days as in 2020, but the grace period will be included in the date of '30 days after correction'. For example, if you use 90 days after the issue + 10 days grace period and release the patch 100 days after the issue, the technical details will be released after '100 days + (30-10 days) = 120 days'. That's right. In addition, for vulnerabilities that have already been confirmed to damage users, if a patch is released within 7 days of the indication, the technical details will be disclosed 30 days later.



Willis said the change was to give affected users time to update their products. The previous 'disclose technical details 90 days after the issue' rule implicitly 'not only releases the patch within 90 days, but also gives users time to apply the patch'. The purpose was to put pressure on them.

However, the vendor did not notice this implicit pressure, and in some cases patch development was carried out until the last minute for 90 days. In addition, vendors have expressed concern that 'even if you develop a patch within 90 days, most users will have a 90-day disclosure deadline before applying the patch.'

Therefore, Project Zero states that the timeline for patch development has been made easier to understand by clearly stating the period of '90 days for patch development + 30 days for disclosure of technical details'. In addition, it seems that the reason why the schedule was not set to '60 days + 30 days' is to avoid causing confusion to the vendor due to sudden changes. Project Zero wants to shorten the period from the discovery of a vulnerability to the release of a patch, suggesting that the '90 days + 30 days' timeline may be shortened in stages.



There is a debate about the move to quickly disclose the technical details of the vulnerability, 'Which is more profitable for the attacker or the defender?' Project Zero claims that disclosure of technical details helps protect Internet users as a whole, based on its experience of protecting businesses and users from attackers, but it also listens to concerns and incorporates them into its policies. ... apparently ...

in Security, Posted by log1h_ik