Google’s Project Zero vulnerability scouting effort, wherein it discloses a vulnerability in other vendors’ system if they fail to patch it within 90-day period of notification has received more flak than appreciation from security experts and technology giants. And now Google is making adjustment to the policy. The Mountain View-based company announced that it will now give vendors a 14-day grace period if they promised to fix the flaw within the extended two weeks.
“If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch,” Google’s Project Zero team said today in a blog post. “Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” the team added. The team also noted that it won’t reveal a vulnerability on weekends and US public holidays.
The team grabbed headlines a couple of weeks ago when it disclosed vulnerabilities in Microsoft’s Windows 8 operating system. Although Microsoft welcomed Google’s help, it criticized the search giant’s tight deadlines and consequences on fail — which a company’s executive referred to as “gotcha” attitude.
Project Zero team had also unveiled flaws in Apple’s OS X desktop operating system. As part of the disclosure, the team shared the technical details and proof of concept code for each vulnerability with the world.
“While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies,” told Chris Betz, senior director of the Microsoft Security Response Center (MSRC) in a statement today to Computer World. “When finders release proof-of-concept exploit code or other information publicly before a solution is in place, the risk of attacks against customers goes up.”
Google’s initiative with Project Zero has received mixed reviews from people around the world. Some say that the 90-day policy gives enough time to a vendor to address and patch the fix while others argue that public disclosure invites a greater number of attackers and possibly is a bigger threat than the original vulnerability.
Also worth noting is that Google isn’t the only company with a disclosure deadline program. CERT (Computer emergency response teams) runs a 45-day deadline and HP also maintains a Zero Day initiative wherein it discloses a vulnerability after 120 days.