Google relaxes strict bug disclosure rules after Microsoft grievances
- 14 February, 2015 08:29
Google today relaxed its strict 90-day vulnerability disclosure that put it at odds with rival Microsoft last month, saying it would give vendors a 14-day grace period if they promised to fix a flaw within the two-week stretch.
"If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch," Google's Project Zero team said today in a blog post.
"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+)," the team added.
Google will also not reveal a vulnerability on weekends and U.S. public holidays, even if the timetable expires on those days.
Although Microsoft welcomed Google's modifications, it continued to disagree with Project Zero's patch-or-we-publish attitude. "While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies," said Chris Betz, senior director of the Microsoft Security Response Center (MSRC), in a statement today. "When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up."
"These were the right things to do," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy, in a Friday interview. "Weekends and holidays are obvious. It's true that the bad guys never sleep but you have to account for those days. And I like the grace period idea. It shows that Google is communicating with vendors."
Project Zero is composed of several Google security engineers -- including many of its most notable researchers -- who investigate not only the company's own software, but that of other vendors as well. Previously, its policy was to start a 90-day clock when it reported a flaw to an outside vendor, then publicly posted details and sample attack code at the expiration if the vulnerability had not been patched.
Over several weeks starting on Dec. 29 2014, Project Zero revealed numerous bugs in Windows before Microsoft patched them.
That quickly drew the ire of Microsoft. After Project Zero disclosed a Windows vulnerability on Jan. 11 -- two days before Microsoft was set to patch it -- the latter lashed out.
"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Betz said at the time. "[Google's] decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result."
Had the new grace period been in place, some but not all of the Windows vulnerabilities disclosed by Project Zero this year would have been kept under wraps until Microsoft had patched them, including the one Betz was angry about last month.
Some, however, would have still been revealed prior to patching.
One of those vulnerabilities had been reported to Microsoft on Oct. 17, with an expiration date of Jan. 15, when Google automatically unveiled details and proof-of-concept attack code. At the time, Project Zero's bug tracker asserted that while Microsoft had initially intended to patch the vulnerability on Jan. 13, it pulled the fix "due to compatibility issues" and rescheduled it for the Feb. 10 collection. It was, in fact, patched earlier this week.
A two-week grace would not have helped Microsoft in that case.
But the grace period should answer critics who took Project Zero to task for its hard-liner policy.
"Microsoft is never going to get a fix into the first Patch Tuesday after a report, nor in the second depending on the timing," said Chet Wisniewski, a security researcher with Sophos, in a January interview. Because of Microsoft's similar-rigid Patch Tuesday schedule -- the second Tuesday of each month -- Google's disclosure deadline could "push right against the deadline almost every time," Wisniewski argued.
The automated disclosure system also removed the human element, critics said. "Google's pretty big on things being automated, versus people-driven processes," pointed out John Pescatore, director of emerging security trends at the SANS Institute, also in a January interview on Project Zero's approach.
Wisniewski thought there was another reason for the automated disclosure, and the resulting inflexibility.
"If Google made it automatic, then it can't be accused of being vindictive," said Wisniewski, referring to previous clashes between Google security engineers and Microsoft, when that charge had been leveled against the former after they revealed bugs without giving Microsoft more than a few days to patch.
Storms saw the grace period as evidence that Google realized the all-automatic disclosure process wasn't appropriate.
"It's a 'gimme,' as in the vendor saying, 'Gimme a break, I'm so close to a patch,'" said Storms of the additional time. "You have to consider the goal, which is not to shame people, but to get things fixed. [The grace period] adds a human element to it, which is necessary."
As of Friday, there were two vulnerabilities on the Project Zero bug tracker that had exceeded the 90-day deadline. Both were for flaws in Adobe's Reader; Adobe had patched the bugs in December in the Windows version of Reader, but has not yet addressed the same vulnerabilities in the OS X version of the PDF program.