Google Project Zero Changes Rules On Revealing Cyberattacks

According to TechRadar, Google’s Project Zero has revealed that it will be trialling a new policy where the security team will give companies a full 90 days before disclosing issues in their systems or software. The search giant’s team of security analysts is well regarded for discovering major vulnerabilities but it has received criticism from others in the industry for its relatively fast disclosure times. The new disclosure policy aims to fix this while also holding companies more accountable for how they patch security issues.


EXPERTS COMMENTS
Ceri Charlton, Associate Director ,  Bridewell Consulting.
January 10, 2020
I do not believe that the change will lead to vulnerabilities being open for longer.
The focus of Project Zero has been one metric: faster patch development. Like all good responsible disclosure practices the intention is to pressurise vendors into developing patches promptly, before the bad guys discover the same vulnerability. The latest change means that while this remains the most important metric, it’s not the only one. It’s also important that developers have time to ....
[Read More >>]
Casey Ellis, CTO and Founder,  Bugcrowd
January 09, 2020
The policy’s delayed disclosure notice is a smart move.
Project Zero’s policy and disclosure update is a solid concession given the amount of time it can take to get a security patch fully deployed to users, even when a vendor fixes the bug quickly. The right kind of pressure can be a good thing when it comes to vulnerability finds and fixes, and this is what Google is trying to optimize through its policy. Creating efficient patch developments, b ....
[Read More >>]
Jake Moore, Cybersecurity Specialist,  ESET
January 09, 2020
A fixed length will most likely work for the majority of vulnerabilities.
I think this is an excellent move by Project Zero, because once the vulnerability is patched, it does not mean that everyone is instantaneously secure. Patches work with a time lag and this has obviously been taken into consideration to best protect both the company at stake and the users. Responsible disclosure times are a tradeoff between the scale of the vulnerability, whether it is being exp ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article