Arguing that speedy software fixes enhance user security, Google wants the security community to change vulnerability disclosure practices.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 21, 2010

2 Min Read

Google's security team on Tuesday asked the computer security community to reconsider the meaning of responsible disclosure and to adopt a more rigorous approach in order to respond more quickly to vulnerabilities.

Responsible disclosure, explain Chris Evans, Eric Grosse, Neel Mehta, Matt Moore, Tavis Ormandy, Julien Tinnes, and Michal Zalewski in a blog post, involves notifying software vendors about vulnerabilities privately, to provide time to patch vulnerable products before the flaws are made public.

It's an approach preferred by large software makers such as Apple, Microsoft, and Oracle. But Google's security researchers argue it's no longer working.

"We’ve seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," they contend.

An example of industry foot-dragging could be seen in January, when Ormandy disclosed details about a vulnerability in the Windows Virtual DOS Machine (VDM) subsystem. Microsoft had been aware of the flaw, which had existed for 17 years, for at least six months and had not fixed it when Ormandy published details of the problem. He notified Microsoft of the bug on June 12, 2009 and he says that Microsoft acknowledged the notification 10 days later.

Ormandy was also behind the publication of a zero-day vulnerability in the Windows Help and Support Center function in Windows XP and Windows Server 2003.

Negative response to that disclosure prompted an unknown number of security researchers to strike back by forming a group dedicated to full disclosure, which involves letting everyone know about a vulnerability at the same time.

"Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," the group declared in a security advisory published earlier this month. "MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

For Google's security team, the language of the debate -- specifically the use of the term "responsible" -- needs to change. Insisting that private disclosure of vulnerabilities is responsible puts those advocating a different approach at a disadvantage by implying that any alternative is irresponsible, they argue.

What's more, they argue that it can be irresponsible to leave flaws unfixed for long periods of time. They suggest that critical bugs in widely deployed software should be fixed in no more than 60 days.

"We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts," Google's security team concludes. "Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities."

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights