Google relaxes strict bug disclosure rules after Microsoft grievances

Google today relaxed a strict 90-day vulnerability disclosure that put it at odds with rival Microsoft, saying it would give vendors a 14-day grace period if they promised to fix a flaw within the two-week stretch.

Google today relaxed its strict 90-day vulnerability disclosure that put it at odds with rival Microsoft last month, saying it would give vendors a 14-day grace period if they promised to fix a flaw within the two-week stretch.

"If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch," Google's Project Zero team said today in a blog post.

"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+)," the team added.

Google will also not reveal a vulnerability on weekends and U.S. public holidays, even if the timetable expires on those days.

Although Microsoft welcomed Google's modifications, it continued to disagree with Project Zero's patch-or-we-publish attitude. "While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies," said Chris Betz, senior director of the Microsoft Security Response Center (MSRC), in a statement today. "When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up."

"These were the right things to do," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy, in a Friday interview. "Weekends and holidays are obvious. It's true that the bad guys never sleep but you have to account for those days. And I like the grace period idea. It shows that Google is communicating with vendors."

Project Zero is composed of several Google security engineers -- including many of its most notable researchers -- who investigate not only the company's own software, but that of other vendors as well. Previously, its policy was to start a 90-day clock when it reported a flaw to an outside vendor, then publicly posted details and sample attack code at the expiration if the vulnerability had not been patched.

Over several weeks starting on Dec. 29 2014, Project Zero revealed numerous bugs in Windows before Microsoft patched them.

That quickly drew the ire of Microsoft. After Project Zero disclosed a Windows vulnerability on Jan. 11 -- two days before Microsoft was set to patch it -- the latter lashed out.

"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Betz said at the time. "[Google's] decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result."

Had the new grace period been in place, some but not all of the Windows vulnerabilities disclosed by Project Zero this year would have been kept under wraps until Microsoft had patched them, including the one Betz was angry about last month.

Some, however, would have still been revealed prior to patching.

One of those vulnerabilities had been reported to Microsoft on Oct. 17, with an expiration date of Jan. 15, when Google automatically unveiled details and proof-of-concept attack code. At the time, Project Zero's bug tracker asserted that while Microsoft had initially intended to patch the vulnerability on Jan. 13, it pulled the fix "due to compatibility issues" and rescheduled it for the Feb. 10 collection. It was, in fact, patched earlier this week.

A two-week grace would not have helped Microsoft in that case.

But the grace period should answer critics who took Project Zero to task for its hard-liner policy.

"Microsoft is never going to get a fix into the first Patch Tuesday after a report, nor in the second depending on the timing," said Chet Wisniewski, a security researcher with Sophos, in a January interview. Because of Microsoft's similar-rigid Patch Tuesday schedule -- the second Tuesday of each month -- Google's disclosure deadline could "push right against the deadline almost every time," Wisniewski argued.

The automated disclosure system also removed the human element, critics said. "Google's pretty big on things being automated, versus people-driven processes," pointed out John Pescatore, director of emerging security trends at the SANS Institute, also in a January interview on Project Zero's approach.

Wisniewski thought there was another reason for the automated disclosure, and the resulting inflexibility.

"If Google made it automatic, then it can't be accused of being vindictive," said Wisniewski, referring to previous clashes between Google security engineers and Microsoft, when that charge had been leveled against the former after they revealed bugs without giving Microsoft more than a few days to patch.

Storms saw the grace period as evidence that Google realized the all-automatic disclosure process wasn't appropriate.

"It's a 'gimme,' as in the vendor saying, 'Gimme a break, I'm so close to a patch,'" said Storms of the additional time. "You have to consider the goal, which is not to shame people, but to get things fixed. [The grace period] adds a human element to it, which is necessary."

As of Friday, there were two vulnerabilities on the Project Zero bug tracker that had exceeded the 90-day deadline. Both were for flaws in Adobe's Reader; Adobe had patched the bugs in December in the Windows version of Reader, but has not yet addressed the same vulnerabilities in the OS X version of the PDF program.

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesGoogleantispamMicrosoftsecurity

More about GoogleMicrosoftMilestoneSANS InstituteSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place