Google has set third-party suppliers a seven-day deadline for disclosing critical vulnerabilities in software to...
help users protect themselves from attack.
The company claims to discover the active exploitation of publicly unknown or zero-day vulnerabilities on a semi-regular basis and work with suppliers to fix the problem.
If suppliers fail to meet the deadline, Google’s own security researchers will make the details of the vulnerability public.
Google’s standing recommendation is that companies should fix critical vulnerabilities within 60 days, or at least should notify the public about the risk and offer workarounds.
However, the company said in its online security blog that more urgent action is appropriate for critical vulnerabilities under active exploitation.
“Each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” security engineers Chris Evans and Drew Hintz wrote.
“Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly,” they wrote.
Google admits that seven days is an “aggressive timeline” and may be too short for some suppliers to update their products.
Each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised
Chris Evans and Drew Hintz, Google
However, the company said a week should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the supplier for more information.
“By holding ourselves to the same standard, we hope to improve both the state of web security and the co-ordination of vulnerability management,” Google said.
While is it well-known that software suppliers often drag their heels in responding to reported security vulnerabilities, security industry pundits have expressed concern about the deadline.
Some fear that if details of zero-day vulnerabilities are published before suppliers can respond with a patch, it may result in more attacks rather than make organisations better protected.
In a bid to force better response times from other software suppliers and eliminate delays of sometimes up to three years, HP TippingPoint has a 60-day deadline.
However, the firm’s bug finders do grant extensions if there is a legitimate reason, aiming only to make software suppliers more responsive without increasing risk of attack.
Read more on responsible disclosure
- Suppliers need to prepare for new security vulnerability handling standards
- Dutch government publishes security flaw disclosure guide
- Microsoft seeks true 'responsible' vulnerability disclosure
- Incident non-disclosure amounts to hiding facts from shareholders
- Is a full vulnerability disclosure strategy a responsible approach?
At an international level, software makers need to prepare for two new ISO standards on vulnerability handling processes that are due for publication by the end of 2013.
ISO 30111 covers all vulnerability handling processes, whether they are identified internally or reported by an external source.
The standard provides guidelines and recommendations for investigating and remediating vulnerabilities.
ISO 29147 covers vulnerability disclosures from external sources such as users, security researchers and hackers.
The standard provides guidelines for preparing to receive external vulnerability reports, and the first requirement is for suppliers to make it easy to make contact with the right people internally.
Katie Moussouris, editor of the 30111 standard and senior security strategist lead at Microsoft, expects ISO 29147 to make it easier to report vulnerabilities in software and services.
She expects ISO 30111 to raise the level of investigations carried out by suppliers and to improve the speed and quality of remediation.