Google Backsteps a Bit on Its Security Disclosure Policy
Google has made minor but crucial changes to its security disclosure policy after years of complaints from rivals.
“We’re very happy with how well our disclosure policy has worked over the past five years,” Google’s Tim Willis claims. “In saying that … we often receive feedback from vendors [about] things they want us to change … and we have decided to make some changes to our vulnerability disclosure policy in 2020.”
(He gets to that in a far more complex and hard-to-decipher way, so I’ve edited it down to the parts that matter.)
There are a few changes, none of which look major at first, but all are important.
First, while Google is retaining its 90-day disclosure policy, it will no longer disclose security vulnerabilities when they are fixed within that window. Instead, they will wait the entire 90 days, regardless of when bugs are fixed.
Second, Google will actually work with other firms for the first time so that disclosures can occur at the same time that the other firm is ready to explain what happened and what they did to fix this.
Microsoft, in particular, has complained about both of these problems (for example, here and here), and they have likewise complained—many times—when Google simply disclosed vulnerabilities regardless of the availability of fixes. This endangers the company’s customers, Microsoft has argued. And Microsoft has even retaliated by pointing out vulnerabilities that Google hasn’t fixed quickly.
Despite the obvious harm, Google still disagrees.
“Some vendors hold the view that our disclosures prior to significant patch adoption are harmful,” Willis continues. “Though we disagree, under this new policy, we expect that vendors with this view will be incentivized to patch faster, as faster patches will allow them ‘additional time’ for patch adoption.”
Google also argues that its policy has resulted in faster patch development and deployment, making zero-day exploits more costly. And it claims great success, noting that “some issues” needed up to 6 months to fix, whereas 97.7 percent of its issues are now fixed under the 90-day deadline.
Tagged with Security