Google Project Zero Changes Controversial Disclosure Policy

Google’s Project Zero security team are to change its controversial disclosure policy, that has triggered angry reactions over the years from tech firms.

The Google security group was setup in 2014 to hunt down vulnerabilities, bugs and flaws before they were used in cyber attacks.

But it soon ruffled feathers, as previously Project Zero gave software developers a 90-day window of opportunity to fix bugs before it publicly announced the flaw, whether a patch was available or not.

Project zero

And more controversially, Project Zero would also publish details of the vulnerabilities a week after a patch was released, much to the ire of vendors who often wanted more time for the patches to be distributed and properly applied by users.

In February 2015 for example, Google defended its policy of automatically publishing zero-day vulnerabilities discovered by its Project Zero team after 90 days.

At the time it promised to offer up to two weeks grace if a vendor notifies the search giant that a patch was in the works.

That came after Microsoft had slammed Google for publishing details of two vulnerabilities in 2015 and it argued that such disclosures harmed end users by offering attackers information about potential flaws that could be exploited.

Redmond alleged at the time that Google had refused to delay the disclosure, despite knowing that a patch was in development.

Google had likewise at the same time rejected Apple’s request of an extra week, so it could rush out a patch for another flaw.

Then in August 2018 Epic Games accused Google of being “irresponsible” in its disclosure of a major security vulnerability affecting the company’s popular Fortnite game for Android, before a patch had been widely distributed.

In that case, Epic asked Google to wait the full 90 days before making information about the problem publicly available.

Google declined and made the bug public just five days after disclosing it to Epic, who had patched the problem within two days of being notified.

New policy

But now for 2020, Google is trying something new.

The security division has said announced in a blog post that it will wait a full 90 days before disclosing a vulnerability, regardless of when the bug is fixed.

“At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms of the the larger industry,” said Google.

“We’re very happy with how well our disclosure policy has worked over the past five years,” it said. “In saying that, it’s a complex and often controversial topic that is frequently discussed both inside and outside of the team.”

“We often receive feedback from vendors that Project Zero works closely with regarding our current policies: sometimes it’s things they want us to change, other times it’s how our work has positively impacted their work and users,” it said. “Conversations like these have helped develop our policies over the years. For example, we introduced our 14-day grace-period in 2015 after helpful discussions with various vendors.”

“We recently reviewed our policies and the goals we hope to accomplish with our disclosure policy,” said Google. “As a result of that review, we have decided to make some changes to our vulnerability disclosure policy in 2020.”

Google now said it would provide a full 90 days by default, regardless of when the bug is fixed.

And the change has been welcomed by other security experts.

“I think this is an excellent move by Project Zero, because once the vulnerability is patched, it does not mean that everyone is instantaneously secure,” said Jake Moore, cybersecurity specialist at ESET.

“Patches work with a time lag and this has obviously been taken into consideration to best protect both the company at stake and the users,” said Moore.

“Responsible disclosure times are a tradeoff between the scale of the vulnerability, whether it is being exploited in the wild and giving companies enough time to respond to the threat,” said Moore.

“A fixed length will most likely work for the majority of vulnerabilities and I am sure analysis of previous threats has been considered to create this mean average time,” concluded Moore. “However, for this to work, Project Zero will still have to take into account that some individual patches may clearly need more time before they are made public to best ensure the safety of their users.”

Apple spate

Google has also received criticism more recently.

In September 2019 Apple hit back at Google and made clear it felt that its security researchers had overstated the level of threat against iPhone users.

Apple’s angry response came after security researchers at Google’s Project Zero had warned iPhone users of a “sustained effort” of an attack “in the wild” against Apple devices.

The researchers detailed how hackers utilised booby-trapped websites to try and carry out zero-day attacks against visiting iPhone users.

But Apple disputed Google’s insistence that it was a large-scale hacking effort, and issued a hard hitting statement alleging that Google security researchers had overstated the level of threat to iPhone users

Do you know all about security? Try our quiz!