Google is set to begin publicly reporting vulnerability discoveries within one week of informing the impacted vendor.
The trial policy, named Reporting Transparency, is designed to increase transparency around vulnerabilities and speed up the rate at which end users patch flaws that could provide attackers with a gateway into their networks.
Google’s Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the bug is fixed before the deadline.
However, as of July 29, Project Zero will also release limited details about any discovery they make within one week of vendor disclosure. This information will encompass:
- The vendor or open-source project that received the report
- The affected product
- The date the report was filed and when the 90-day disclosure deadline expires
This information will provide a “signal” to end users that they may be affected by a new vulnerability, allowing them to monitor for issues in a particular product, Tim Willis, Researcher at Google Project Zero wrote in a blog published on July 29.
This signal aims to reduce the “upstream patch gap” – the period where an upstream vendor has a fix available, but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product. This patch gap significantly extends the vulnerability lifecycle, according to Willis.
“We hope that this trial will encourage the creation of stronger communication channels between upstream vendors and downstream dependents relating to security, leading to faster patches and improved patch adoption for end users,” Willis noted.
Project Zero is a team of security analysts employed by Google who are tasked with discovering zero day vulnerabilities before threat actors.
Read now: Google Researchers Claim First Vulnerability Found Using AI
Early Disclosure Won’t Help Attackers, Google Say
The blog emphasized that no information will be provided in the initial disclosure that will assist attackers with exploits.
“We want to be clear: no technical details, proof-of-concept code, or information that we believe would materially assist discovery will be released until the deadline. Reporting Transparency is an alert, not a blueprint for attackers,” Willis commented.
Willis acknowledged that some vendors may see this policy as creating unwanted noise and attention around vulnerabilities that only they can address. However, he said the benefits of the increased transparency outweigh the risk of inconvenience to a small number of vendors.
No details have been provided on the length of the early disclosure trial, but its impact will be closely monitored by Google.
“We hope it achieves our ultimate goal: a safer ecosystem where vulnerabilities are remediated not just in an upstream code repository, but on the devices, systems and services that people use every day,” Willis added.
No tags.
