Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Thread beginning with comment 563441
To read all comments associated with this story, please click here.
Comment by Nelson
by Nelson on Sat 1st Jun 2013 19:26 UTC
Nelson
Member since:
2005-11-29

Microsoft in 2010 on Google fully disclosing after a few days:

One of the main reasons we and many others across the industry
advocate for responsible disclosure is that the software vendor who
wrote the code is in the best position to fully understand the root
cause. While this was a good find by the Google researcher, it turns out
that the analysis is incomplete and the actual workaround Google
suggested is easily circumvented. In some cases, more time is required
for a comprehensive update that cannot be bypassed, and does not cause
quality problems.


Full disclosure time windows are a complicated matter and often things are not that cut and dry. I do agree with Full Disclosure, I'm just not sure what the amount of time should be that passes before a disclosure is made.

Reply Score: 6

RE: Comment by Nelson
by Thom_Holwerda on Sat 1st Jun 2013 19:41 in reply to "Comment by Nelson"
Thom_Holwerda Member since:
2005-06-29

If I'm using something that has a vulnerability in it that's serious, I want to know so that I can stop using said software, disable the feature in question, or apply a workaround.

It's not my problem that most companies are really bad at protecting their customers.

Reply Parent Score: 5

RE[2]: Comment by Nelson
by Nelson on Sat 1st Jun 2013 21:10 in reply to "RE: Comment by Nelson"
Nelson Member since:
2005-11-29

As usual, you vastly oversimplify a complicated matter.

There are a lot of variables involved in software engineering, and any one change can affect various hardware configurations running on that platform, especially something as important as say, Windows.

What one person considers a fix might break something else, and cause major quality headaches down the road.

How do you deal with that? Would you appreciate a Windows Update screwing your install? Itd be a disaster.

You can be advised via partial disclosure of a flaw and act accordingly. There is full disclosure, then there's being unreasonable.

There are potentially millions at risk, not something to be taken lightly.

Reply Parent Score: 2

RE[2]: Comment by Nelson
by lucas_maximus on Mon 3rd Jun 2013 07:03 in reply to "RE: Comment by Nelson"
lucas_maximus Member since:
2009-08-18

You have no idea do you?

I work on a fairly small code-base if there is a bug, it can take weeks before it goes through the QA process and I get the go-ahead to release.

This is not taking into account my own time ... and when I can be put on task for it.

Reply Parent Score: 2

RE[2]: Comment by Nelson
by Deviate_X on Mon 3rd Jun 2013 15:09 in reply to "RE: Comment by Nelson"
Deviate_X Member since:
2005-07-11

If I'm using something that has a vulnerability in it that's serious, I want to know so that I can stop using said software, disable the feature in question, or apply a workaround.

It's not my problem that most companies are really bad at protecting their customers.


I can 100% guarantee that you will be using something with a vulnerability in it ;) ) --> nature of the beast

Reply Parent Score: 2

RE: Comment by Nelson
by silviucc on Sat 1st Jun 2013 20:07 in reply to "Comment by Nelson"
silviucc Member since:
2009-12-05

The point of the matter is that people affected by a 0-day should know ASAP.

Some other news outlets erroneously reported something along the lines of "they better have a fix in 7 days or else". Mitigation should be possible if not by the vendor at least by the customer(s).

That 7 day window is already too large because I have the feeling that once a 0-day is uncovered and reported , the people that could do harm already know about it.

I hope there are not people in the crowd following OSnews that believe that blackhats get their exploit info from reading CVEs ;)

Reply Parent Score: 6

RE[2]: Comment by Nelson
by Nelson on Sat 1st Jun 2013 21:13 in reply to "RE: Comment by Nelson"
Nelson Member since:
2005-11-29


That 7 day window is already too large because I have the feeling that once a 0-day is uncovered and reported , the people that could do harm already know about it.


Have BlackHats traditionally independently discovered and exploited the same 0day a WhiteHat disclosed? I don't doubt they have the skill to discover an exploit, I'm just not certain if they'd be one in the same.

Reply Parent Score: 2

RE: Comment by Nelson
by Vanders on Sat 1st Jun 2013 23:49 in reply to "Comment by Nelson"
Vanders Member since:
2005-07-06

I do agree with Full Disclosure, I'm just not sure what the amount of time should be that passes before a disclosure is made.

So that was the relevant part of your post. The quote from Microsoft, of which you don't even comment on, was there purely to confuse readers I assume. Have you ever considered writing for a tabloid? Even Andrew Orlinski could learn a thing or two from you.

Reply Parent Score: 6

RE[2]: Comment by Nelson
by Nelson on Sun 2nd Jun 2013 00:58 in reply to "RE: Comment by Nelson"
Nelson Member since:
2005-11-29

I'm still awaiting your ultra insightful comment that I'm sure you're furiously typing away at.

Reply Parent Score: 4

RE: Comment by Nelson
by Soulbender on Sun 2nd Jun 2013 01:38 in reply to "Comment by Nelson"
Soulbender Member since:
2005-08-18

Note that this is for vulnerabilities under *active attack*. If the responsible party can't solve that in 7 days I don't know what the fuck they're doing and if they need 60 days? Stop writing software.

Reply Parent Score: 11

RE[2]: Comment by Nelson
by Nelson on Sun 2nd Jun 2013 02:07 in reply to "RE: Comment by Nelson"
Nelson Member since:
2005-11-29

You're right, this is less bad than it seems. Probably not even bad at all. 60 days is an insanely long time for something being actively exploited and undisclosed.

Reply Parent Score: 2

RE: Comment by Nelson
by JAlexoid on Mon 3rd Jun 2013 11:23 in reply to "Comment by Nelson"
JAlexoid Member since:
2009-05-19

Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation.

This part is the important bit.

Reply Parent Score: 4