informa
News

Google Sets New 'Aggressive' 7-Day Deadline For Vendors To Reveal Or Fix Zero-Day Bugs Under Attack

New policy narrows window for software vendors' public response to zero-day bugs discovered by Google researchers
Google today put the squeeze on software vendors with a new policy for vulnerability disclosure that allows its researchers to provide details on zero-day bugs they find within seven days if the affected vendor hasn't provided an advisory or a patch.

Chris Evans and Drew Hintz, security engineers with Google, made the announcement in a blog post, noting that Google's researchers recently discovered attacks using a zero-day in another unnamed vendor's software. "We recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company. This isn’t an isolated incident -- on a semi-regular basis, Google security researchers uncover real-world exploitation of publicly unknown (“zero-day”) vulnerabilities. We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution," the Googlers said in their post.

Vulnerability disclosure long has been a hot button topic, with Google over the past few years pushing hard on vendors to more quickly warn users and fix new flaws, and software giant Microsoft standing by its policy that vulnerability fixes should not be assigned deadlines. Microsoft contends that patching is a delicate balance between quality and timeliness that can't be put on a specific deadline.

But Google is now dramatically narrowing the patch window for the most dangerous zero-day bugs it discovers and get used in attacks in the wild.

"Our standing recommendation is that companies should fix critical vulnerabilities within 60 days -- or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation," the Google researchers say. "The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised."

They acknowledge that a one-week turnaround is tight and may not work for some vendors. And Google itself will follow the same timeline in fixing its own bugs, they say.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," they say. "As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management."

Google security engineers in 2010 called it "irresponsible" for a software bug to remain unfixed over long periods of time -- sometimes years. They announced back then that they would set disclosure deadlines for serious bugs they found, and if the affected vendor didn't fix the bug by that date, Google would publish an analysis of it and any workarounds.

Today the engineers say it's becoming even more urgent to fix bad bugs faster. "Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world," the said in their post.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:

MODULE B: Latest content for DR

High-Profile Breaches Are Shifting Enterprise Security Strategy

Increased media attention is driving changes in enterprise security strategy -- some positive, some negative.

Increased media attention is driving changes in enterprise security strategy -- some positive, some negative.


7 Smart Ways a Security Team Can Win Stakeholder Trust

By demonstrating the following behaviors, security teams can more effectively move their initiatives forward.

By demonstrating the following behaviors, security teams can more effectively move their initiatives forward.



What Are Some Red Flags in a Vendor Security Assessment?

The last thing you want is a vendor that lies to you about its security practices.

The last thing you want is a vendor that lies to you about its security practices.


MacOS Security: What Security Teams Should Know

As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees.

As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees.


Loss of Intellectual Property, Customer Data Pose Greatest Business Risks

The slightly "good" news? Security professionals are a little less concerned about certain threats than last year, according to Dark Reading's "State of Incident Response 2021" report.

The slightly "good" news? Security professionals are a little less concerned about certain threats than last year, according to Dark Reading's "State of Incident Response 2021" report.


Name That Edge Toon: Mobile Monoliths

Feeling creative? Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Feeling creative? Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Oct 04, 2021


Why Windows Print Spooler Remains a Big Attack Target

Despite countless vulnerabilities and exploits, the legacy Windows printing process service continues to be an attack surface in constant need of repair and maintenance, security experts say.

Despite countless vulnerabilities and exploits, the legacy Windows printing process service continues to be an attack surface in constant need of repair and maintenance, security experts say.


10 Recent Examples of How Insider Threats Can Cause Big Breaches and Damage

Theft of intellectual property, sabotage, exposure of sensitive data and more were caused by malicious behavior and negligence at these organizations

Theft of intellectual property, sabotage, exposure of sensitive data and more were caused by malicious behavior and negligence at these organizations