Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Google relaxes strict bug disclosure rules after Microsoft grievances

Gregg Keizer | Feb. 16, 2015
After dust-up between the companies over bug revelations, Google offers 14-day grace period before going public.

Google today relaxed its strict 90-day vulnerability disclosure that put it at odds with rival Microsoft last month, saying it would give vendors a 14-day grace period if they promised to fix a flaw within the two-week stretch.

"If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch," Google's Project Zero team said today in a blog post.

"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+)," the team added.

Google will also not reveal a vulnerability on weekends and U.S. public holidays, even if the timetable expires on those days.

Although Microsoft welcomed Google's modifications, it continued to disagree with Project Zero's patch-or-we-publish attitude. "While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies," said Chris Betz, senior director of the Microsoft Security Response Center (MSRC), in a statement today. "When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up."

"These were the right things to do," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy, in a Friday interview. "Weekends and holidays are obvious. It's true that the bad guys never sleep but you have to account for those days. And I like the grace period idea. It shows that Google is communicating with vendors."

Project Zero is composed of several Google security engineers -- including many of its most notable researchers -- who investigate not only the company's own software, but that of other vendors as well. Previously, its policy was to start a 90-day clock when it reported a flaw to an outside vendor, then publicly posted details and sample attack code at the expiration if the vulnerability had not been patched.

Over several weeks starting on Dec. 29 2014, Project Zero revealed numerous bugs in Windows before Microsoft patched them.

That quickly drew the ire of Microsoft. After Project Zero disclosed a Windows vulnerability on Jan. 11 -- two days before Microsoft was set to patch it -- the latter lashed out.

"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Betz said at the time. "[Google's] decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.