Security News > 2020 > January > Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea
Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google's bug-hunting unit Project Zero has decided to ease up on those racing to patch their flawed products.
As a result of the amended policy, vulnerability details will remain undisclosed for a longer period of time, giving developers enough time to fix their code, and netizens to test and install the patches, before Googlers make technical details and proof-of-concept exploits public for all to see.
In either case, of course, you're racing against malware developers who are poring over your security patch, as soon as it is released, to find a way to attack unpatched users - though bear in mind, when Google goes public, it typically posts proof-of-concept exploit code, taking care of most of that effort for miscreants.
In a blog post on Tuesday, Tim Willis, Project Zero manager, explained that the policy tweak is intended to encourage more thorough patch development and better patch adoption, while maintaining the policy's original goal of driving faster patch development.
In other words, Project Zero researchers hope the consistent 90-day revelation time will give vendors' security engineers more time after a patch is initially developed to ensure it covers minor exploit changes that could bypass code repairs.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/07/google_project_zero/
Related news
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- Emergency patch: Cisco fixes bug under exploit in brute-force attacks (source)