Feedback and data-driven updates to Google’s disclosure policy [Project Zero] by Chris Evans, et al.
From the post:
Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to users faster. As noted in CERT’s 45-day disclosure policy, they also “balance the need of the public to be informed of security vulnerabilities with vendors’ need for time to respond effectively”. Yahoo!’s 90-day policy notes that “Time is of the essence when we discover these types of issues: the more quickly we address the risks, the less harm an attack can cause”. ZDI’s 120-day policy notes that releasing vulnerability details can “enable the defensive community to protect the user”.
Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community. Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors.
Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry.
To see how things are going, we crunched some data on Project Zero’s disclosures to date. For example, the Adobe Flash team probably has the largest install base and number of build combinations of any of the products we’ve researched so far. To date, they have fixed 37 Project Zero vulnerabilities (or 100%) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85% were fixed within 90 days. Restrict this to the 73 issues filed and fixed after Oct 1st, 2014, and 95% were fixed within 90 days. Furthermore, recent well-discussed deadline misses were typically fixed very quickly after 90 days. Looking ahead, we’re not going to have any deadline misses for at least the rest of February.
Deadlines appear to be working to improve patch times and end user security — especially when enforced consistently.
…
I ran across the Project Zero post after reading Google Threatens to Air Microsoft and Apple’s Dirty Code by Chris Strohm and Jordan Robertson. Strohm and Robertson recite the usual pouting from Apple and Microsoft about fixed deadlines for disclosure of flaws, as though they are concerned about the safety of users.
If either Microsoft or Apple were concerned about users they would assign teams to flaws on notice and resource those teams to produce and test fixes (do no harm) before the ninety days are up. Project Zero now has a fourteen (14) day grace period after the ninety days so if fix is about to be released, disclosure can be delayed. (That wasn’t always the case, a source of complaints now.)
While Apple and Microsoft are important software sources, one hopes that Project Zero will not restrict its attention to those vendors or even to software. (I am assuming Project Zero monitors Google code as well?)
The average user lacks the time, training and resources to detect software flaws and certainly would not get the attention that a Project Zero report of a flaw commands.
The long tradition of secrecy until flaws are fixed have not served the user community well. Even now, it isn’t possible to say software is secure, it is only possible to say it may be free from flaw X. Maybe.
If Apple, Microsoft and others want to complain about the disclosure policies of Project Zero they should produce evidence of how secrecy of security flaws has resulted in more secure software. Not just insecure software with flaws known only to a few.
Who knows? Maybe Project Zero will attract such attention to security flaws that vendors will spend the time and money necessary to produce secure software. What a concept!
I first saw the “dirty code” post in a tweet by Marin Dimitrov.