This site uses cookies to improve your experience and to provide services and advertising. By continuing to browse, you agree to the use of cookies described in our Cookies Policy. You may change your settings at any time but this may impact on the functionality of the site. To learn more see our Cookies Policy.
Dublin: 10 °C Wednesday 23 October, 2019

Google to allow companies more time to fix problems before it screams 'gotcha'

The change comes after the company’s Project Zero initiative was criticised by Microsoft for revealing a flaw two days before a fix was due.

Image: AP Photo/Marcio Jose Sanchez

GOOGLE HAS DECIDED to add a 14-day grace period following criticism over how it handled the disclosure of security flaws relating to Microsoft and other products.

Google established Project Zero as a way of identifying security flaws in products, both its own and other companies. As a way of encouraging developers to fix the problem, it would give them 90-days to address it otherwise it would publish the details.

However, it was criticised last month by Microsoft for revealing a software vulnerability relating to Windows 8.1 two days before it had planned to fix it. At the time, the senior director of Microsoft’s Security Response Centre Chris Betz described the action as “less like principles and more like a ‘gotcha’”.

Now, while it still maintains its 90-day deadline period, it will now add a 14-day grace period if a vendor lets them know before the deadline that a patch will be applied on a specific day within the 14-days following the deadline.

It will also move the deadline forward if it happens to fall on a weekend or US public holiday, moving it to the next working day. It says that it “reserves the right to bring deadlines forward or backwards based on extreme circumstances.”

It also says that the 90-days window is a “middle-of-the-road deadline timetable” that is “reasonably calibrated for the current state of the industry. This is in comparison to other similar services like CERT, which only gives developers 45-days to fix a problem, and the Zero Day Initiative which gives developers 120-days to respond.

The team behind Project Zero said the deadlines acknowledge “an uncomfortable fact” about how these flaws are discovered in the first place. Attackers put more resources into their efforts than companies do improving security.

Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community. Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors.

Read: Here are some of the moments that helped shape YouTube >

Read: This will help you clean up your Facebook news feed quickly >

  • Share on Facebook
  • Email this article

About the author:

Quinton O'Reilly

Read next:


This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel