Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

AP Photo/Marcio Jose Sanchez

Google to allow companies more time to fix problems before it screams 'gotcha'

The change comes after the company’s Project Zero initiative was criticised by Microsoft for revealing a flaw two days before a fix was due.

GOOGLE HAS DECIDED to add a 14-day grace period following criticism over how it handled the disclosure of security flaws relating to Microsoft and other products.

Google established Project Zero as a way of identifying security flaws in products, both its own and other companies. As a way of encouraging developers to fix the problem, it would give them 90-days to address it otherwise it would publish the details.

However, it was criticised last month by Microsoft for revealing a software vulnerability relating to Windows 8.1 two days before it had planned to fix it. At the time, the senior director of Microsoft’s Security Response Centre Chris Betz described the action as “less like principles and more like a ‘gotcha’”.

Now, while it still maintains its 90-day deadline period, it will now add a 14-day grace period if a vendor lets them know before the deadline that a patch will be applied on a specific day within the 14-days following the deadline.

It will also move the deadline forward if it happens to fall on a weekend or US public holiday, moving it to the next working day. It says that it “reserves the right to bring deadlines forward or backwards based on extreme circumstances.”

It also says that the 90-days window is a “middle-of-the-road deadline timetable” that is “reasonably calibrated for the current state of the industry. This is in comparison to other similar services like CERT, which only gives developers 45-days to fix a problem, and the Zero Day Initiative which gives developers 120-days to respond.

The team behind Project Zero said the deadlines acknowledge “an uncomfortable fact” about how these flaws are discovered in the first place. Attackers put more resources into their efforts than companies do improving security.

Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community. Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors.

Read: Here are some of the moments that helped shape YouTube >

Read: This will help you clean up your Facebook news feed quickly >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Close
3 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds